CVE-2024-46429

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 42.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A hardcoded credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using a default guest account with administrative privileges.

Security Summary

CVE-2024-46429 is a hardcoded credentials vulnerability (CWE-798) affecting the Tenda W18E router running firmware version V16.01.0.8(1625). The issue stems from a default guest account that grants administrative privileges to the web management portal, enabling unauthenticated remote access without requiring authentication.

Attackers on an adjacent network (AV:A) can exploit this vulnerability with low complexity (AC:L) and no privileges (PR:N), requiring no user interaction (UI:N). Successful exploitation provides high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8. This allows full administrative control over the device, potentially leading to further network compromise.

Mitigation details are available in the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research, published on 2025-02-10.

Details

CWE(s): CWE-798

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org