CVE-2024-46436

CVE-2024-46436 is a high-severity vulnerability (CVSS 8.3, CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) stemming from hardcoded credentials in the Tenda W18E router firmware version V16.01.0.8(1625). It affects the telnet service on this device, classified under CWE-798 (Use of Hard-coded Credentials). Attackers can exploit these static credentials to bypass authentication entirely, as they are embedded directly in the firmware without obfuscation or randomization.

The vulnerability enables unauthenticated remote attackers on an adjacent network (AV:A) to connect to the telnet service with low attack complexity and no user interaction required. Successful exploitation grants root-level access to the device's operating system, allowing full control over configurations, potential data extraction, modification of router settings, or use as a pivot point in the network. Impacts include high confidentiality and integrity compromise, with low availability disruption.

For mitigation details, refer to the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research, which documents the flaw. Affected users should disable the telnet service if possible, update to patched firmware if available from Tenda, or isolate the device from untrusted networks pending remediation.