Skip to main content

W30e Firmware CVE-2026-24430

HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-01-26 disclosure@vulncheck.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 26, 2026 - 18:16 nvd
HIGH 7.5

DescriptionCVE.org

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.

AnalysisAI

Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencrypted HTTP from the maintenance interface, allowing unauthenticated network attackers to intercept and obtain account credentials. Affected devices lack authentication requirements for accessing this interface, making credential theft trivial for anyone on the same network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to unencrypted HTTP management interface
Exploit
Request maintenance page
Execution
Intercept cleartext HTTP response
Impact
Extract admin credentials from response body

Vulnerability AssessmentAI

Exploitation Tenda W30E V2 firmware version V16.01.0.19(5037) or earlier with management interface accessible over HTTP (default configuration); no authentication required to access credential disclosure endpoint. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Tenda W30E V2 devices in your environment and document firmware versions; isolate devices from production networks if possible and restrict maintenance interface access to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-57086 HIGH POC
7.5 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNo

CVE-2026-24429 CRITICAL
9.8 Jan 26

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administra

CVE-2026-24436 CRITICAL
9.8 Jan 26

Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricte

CVE-2026-24440 HIGH
8.8 Jan 26

Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated u

CVE-2026-24428 HIGH
8.8 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to ad

CVE-2026-24435 MEDIUM
6.5 Jan 26

Tenda W30E firmware through V16.01.0.19(5037) is vulnerable to CORS misconfiguration that permits authenticated administ

CVE-2026-24439 MEDIUM
6.5 Jan 26

Tenda W30E firmware versions through V16.01.0.19(5037) omit the X-Content-Type-Options: nosniff header from web manageme

CVE-2026-24431 MEDIUM
6.5 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) exposes stored administrative passwords in plaintext on the management

CVE-2026-24437 MEDIUM
5.5 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) fails to implement proper cache-control headers on sensitive adm

CVE-2026-24433 MEDIUM
5.4 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) fails to properly sanitize user input during account creation, allowing

CVE-2026-24432 MEDIUM
4.3 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) lacks CSRF protections on administrative functions, enabling attackers

CVE-2025-57085 CRITICAL POC
9.8 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function.

Share

CVE-2026-24430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy