W30e Firmware
CVE-2026-24430
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.
AnalysisAI
Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencrypted HTTP from the maintenance interface, allowing unauthenticated network attackers to intercept and obtain account credentials. Affected devices lack authentication requirements for accessing this interface, making credential theft trivial for anyone on the same network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Tenda W30E V2 firmware version V16.01.0.19(5037) or earlier with management interface accessible over HTTP (default configuration); no authentication required to access credential disclosure endpoint. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker could exploit this vulnerability to compromise the affected system. |
| Remediation | Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Tenda W30E V2 devices in your environment and document firmware versions; isolate devices from production networks if possible and restrict maintenance interface access to trusted networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in W30e Firmware
View allTenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNo
Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administra
Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricte
Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated u
Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to ad
Tenda W30E firmware through V16.01.0.19(5037) is vulnerable to CORS misconfiguration that permits authenticated administ
Tenda W30E firmware versions through V16.01.0.19(5037) omit the X-Content-Type-Options: nosniff header from web manageme
Tenda W30E V2 firmware through V16.01.0.19(5037) exposes stored administrative passwords in plaintext on the management
Tenda W30E V2 firmware through version 16.01.0.19(5037) fails to implement proper cache-control headers on sensitive adm
Tenda W30E V2 firmware through V16.01.0.19(5037) fails to properly sanitize user input during account creation, allowing
Tenda W30E V2 firmware through V16.01.0.19(5037) lacks CSRF protections on administrative functions, enabling attackers
Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today