Skip to main content

W30e Firmware CVE-2026-24429

CRITICAL
Use of Default Password (CWE-1393)
2026-01-26 disclosure@vulncheck.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 26, 2026 - 18:16 nvd
CRITICAL 9.8

DescriptionCVE.org

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.

AnalysisAI

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover Tenda W30E V2 device on network
Delivery
Connect to management interface
Exploit
Authenticate with default credentials
Execution
Access administrative controls
Impact
Execute arbitrary commands

Vulnerability AssessmentAI

Exploitation Tenda W30E V2 firmware version V16.01.0.19(5037) or earlier with management interface accessible over network; default authentication credentials not changed during device initialization; no authentication bypass required due to hardcoded default account. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker logs in with default credentials, reconfigures DNS/routing for MITM attacks.
Remediation Change default credentials. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Tenda W30E V2 devices in production and isolate affected units from critical networks; immediately change default credentials if manual modification is supported and document all changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-57086 HIGH POC
7.5 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNo

CVE-2026-24436 CRITICAL
9.8 Jan 26

Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricte

CVE-2026-24440 HIGH
8.8 Jan 26

Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated u

CVE-2026-24428 HIGH
8.8 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to ad

CVE-2026-24430 HIGH
7.5 Jan 26

Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencry

CVE-2026-24435 MEDIUM
6.5 Jan 26

Tenda W30E firmware through V16.01.0.19(5037) is vulnerable to CORS misconfiguration that permits authenticated administ

CVE-2026-24439 MEDIUM
6.5 Jan 26

Tenda W30E firmware versions through V16.01.0.19(5037) omit the X-Content-Type-Options: nosniff header from web manageme

CVE-2026-24431 MEDIUM
6.5 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) exposes stored administrative passwords in plaintext on the management

CVE-2026-24437 MEDIUM
5.5 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) fails to implement proper cache-control headers on sensitive adm

CVE-2026-24433 MEDIUM
5.4 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) fails to properly sanitize user input during account creation, allowing

CVE-2026-24432 MEDIUM
4.3 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) lacks CSRF protections on administrative functions, enabling attackers

CVE-2025-57085 CRITICAL POC
9.8 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function.

Share

CVE-2026-24429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy