CVE-2026-24428
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.
Analysis
Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to administrator by exploiting broken authorization in the user management API, enabling password changes for admin accounts without proper access controls. An attacker with any valid user account can bypass web interface restrictions and gain full administrative access to the device. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Tenda W30E V2 devices in your environment and document firmware versions; disable remote management access if enabled. Within 7 days: Implement network segmentation to restrict administrative access to these devices; audit recent access logs for suspicious password changes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today