What is the CVSS score of CVE-2026-24428?

CVE-2026-24428 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of W30e Firmware are affected by CVE-2026-24428?

A critical authorization flaw in Shenzhen Tenda W30E V2 routers allows any authenticated user to reset the administrator password, enabling complete network device compromise.

W30e Firmware CVE-2026-24428

HIGH

Incorrect Authorization (CWE-863)

2026-01-26 disclosure@vulncheck.com

Authentication Bypass W30e Firmware

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

CVE Published

Jan 26, 2026 - 18:16 nvd

HIGH 8.8

DescriptionNVD

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.

AnalysisAI

Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to administrator by exploiting broken authorization in the user management API, enabling password changes for admin accounts without proper access controls. An attacker with any valid user account can bypass web interface restrictions and gain full administrative access to the device. …

RemediationAI

Within 24 hours: Identify all Tenda W30E V2 devices in your environment and document firmware versions; disable remote management access if enabled. Within 7 days: Implement network segmentation to restrict administrative access to these devices; audit recent access logs for suspicious password changes. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-24428 vulnerability details – vuln.today

Back

W30e Firmware CVE-2026-24428

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code