CVE-2024-46432

CVE-2024-46432 is an Incorrect Access Control vulnerability (CWE-284) affecting the Tenda W18E router on firmware version V16.01.0.8(1625). The issue resides in the setQuickCfgWifiAndLogin function, where an attacker can send a specially crafted HTTP POST request to bypass authorization checks. This enables unauthorized modifications to WiFi configuration settings and administrative credentials without proper authentication.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation from an adjacent network with low complexity and no required privileges or user interaction. An attacker on the same local network segment, such as via WiFi or Ethernet proximity, can remotely alter critical device settings. This grants high-impact control over confidentiality, integrity, and availability, allowing the attacker to reconfigure WiFi SSIDs/passwords, reset admin accounts, and potentially lock out legitimate users or pivot to further network compromise.

Mitigation details are available in the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research, published alongside the CVE on 2025-02-10. Practitioners should consult this reference for any recommended patches, firmware updates, or workarounds specific to the Tenda W18E.