CVE-2026-24428
HIGH WAF: Low
CVSS 8.8
Published: 2026-01-26
CWE-863
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tenda | w30e_firmware | up to 16.01.0.19\(5037\) |
References
- www.tendacn.com (Product)
- www.vulncheck.com (Third Party Advisory)