CVE-2024-46450

High

Published: 16 January 2025

Published

16 January 2025

Modified

07 July 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0012 30.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.

Security Summary

CVE-2024-46450 is an incorrect access control vulnerability, classified under CWE-862 (Missing Authorization), affecting the Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 running firmware version v15.03.06.50. The issue stems from flawed access controls in the router's web interface, enabling attackers to bypass authentication mechanisms through a specially crafted web request.

The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. Remote attackers require no privileges and can exploit it over the network with low attack complexity, though it demands user interaction, such as clicking a malicious link or visiting a crafted page. Successful exploitation grants high confidentiality and integrity impacts, potentially allowing unauthorized access to sensitive router configurations or data.

Mitigation details are available in the referenced advisory at https://pastebin.com/BXxTqsZk.

Details

CWE(s): CWE-862

Affected Products

tenda

ac6 firmware

15.03.06.50

References

https://pastebin.com/BXxTqsZk
Third Party Advisory · cve@mitre.org