Details of VAR-202601-4126

ID

VAR-202601-4126

CVE

CVE-2026-24432

TITLE

Shenzhen Tenda Technology Co.,Ltd. of w30e Cross-site request forgery vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-002126

DESCRIPTION

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings. However, some of the information handled by the software may be rewritten. Furthermore, the software will not stop running. Furthermore, attacks exploiting this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-24432 // JVNDB: JVNDB-2026-002126

AFFECTED PRODUCTS

vendor:	tenda	model:	w30e	scope:	lte	version:	16.01.0.19\(5037\)	Trust: 1.0
vendor:	tenda	model:	w30e	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	lte	version:	w30e firmware 16.01.0.19¥(5037¥) and earlier	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002126 // NVD: CVE-2026-24432

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-24432
value:	MEDIUM
Trust: 1.0
disclosure@vulncheck.com:	CVE-2026-24432
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2026-24432
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2026-24432
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2026-24432
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002126 // NVD: CVE-2026-24432 // NVD: CVE-2026-24432

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.0
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002126 // NVD: CVE-2026-24432

PATCH

title:

Page Not Found | VulnCheck

url:

https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions

Trust: 0.8

sources: JVNDB: JVNDB-2026-002126

EXTERNAL IDS

db:	NVD	id:	CVE-2026-24432	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-002126	Trust: 0.8

sources: JVNDB: JVNDB-2026-002126 // NVD: CVE-2026-24432

REFERENCES

url:	https://www.tendacn.com/product/w30e	Trust: 1.8
url:	https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-24432	Trust: 0.8

sources: JVNDB: JVNDB-2026-002126 // NVD: CVE-2026-24432

SOURCES

db:	JVNDB	id:	JVNDB-2026-002126
db:	NVD	id:	CVE-2026-24432

LAST UPDATE DATE

2026-01-31T23:24:57.566000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002126	date:	2026-01-30T05:12:00
db:	NVD	id:	CVE-2026-24432	date:	2026-01-28T20:11:24.923

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002126	date:	2026-01-30T00:00:00
db:	NVD	id:	CVE-2026-24432	date:	2026-01-26T18:16:40.713