CVE-2026-24428

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

8.7HIGH

EPSS

0.1%

top 82.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shenzhen Tenda Technology Co., Ltd. W30e V2 Tenda W30e Firmware

Timeline

PublishedJan 26

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDtenda/w30e_firmware16.01.0.19\(5037\)

▶CVEListV5shenzhen_tenda_technology_co.,_ltd./w30e_v216.01.0.19(5037)

🔴Vulnerability Details

GHSA

GHSA-ww5j-8g6w-h99h: Shenzhen Tenda W30E V2 firmware versions up to and including V16↗2026-01-26

▶

CVEList

Tenda W30E V2 Incorrect Authorization Allows Administrator Password Change↗2026-01-26

▶