Details of VAR-202601-4216

ID

VAR-202601-4216

CVE

CVE-2026-24428

TITLE

Shenzhen Tenda Technology Co.,Ltd. of w30e Fraudulent Authentication Vulnerability in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-002325

DESCRIPTION

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges. All information handled by the software may be rewritten. Furthermore, the software may stop working completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-24428 // JVNDB: JVNDB-2026-002325

AFFECTED PRODUCTS

vendor:	tenda	model:	w30e	scope:	lte	version:	16.01.0.19\(5037\)	Trust: 1.0
vendor:	tenda	model:	w30e	scope:	lte	version:	w30e firmware 16.01.0.19¥(5037¥) and earlier	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	w30e	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002325 // NVD: CVE-2026-24428

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-24428
value:	HIGH
Trust: 1.0
disclosure@vulncheck.com:	CVE-2026-24428
value:	HIGH
Trust: 1.0
NVD:	CVE-2026-24428
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2026-24428
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2026-24428
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002325 // NVD: CVE-2026-24428 // NVD: CVE-2026-24428

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.0
problemtype:	Illegal authentication (CWE-863) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002325 // NVD: CVE-2026-24428

PATCH

title:

Tenda W30E V2 Incorrect Authorization Allows Administrator Password Change | Advisories | VulnCheck

url:

https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change

Trust: 0.8

sources: JVNDB: JVNDB-2026-002325

EXTERNAL IDS

db:	NVD	id:	CVE-2026-24428	Trust: 2.6
db:	JVNDB	id:	JVNDB-2026-002325	Trust: 0.8

sources: JVNDB: JVNDB-2026-002325 // NVD: CVE-2026-24428

REFERENCES

url:	https://www.tendacn.com/product/w30e	Trust: 1.8
url:	https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-24428	Trust: 0.8

sources: JVNDB: JVNDB-2026-002325 // NVD: CVE-2026-24428

SOURCES

db:	JVNDB	id:	JVNDB-2026-002325
db:	NVD	id:	CVE-2026-24428

LAST UPDATE DATE

2026-02-03T23:44:59.694000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002325	date:	2026-02-02T10:32:00
db:	NVD	id:	CVE-2026-24428	date:	2026-01-29T13:02:04.990

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002325	date:	2026-02-02T00:00:00
db:	NVD	id:	CVE-2026-24428	date:	2026-01-26T18:16:40.117