Cyber Posture

CVE-2026-24429

CriticalPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to…

more

gain authenticated access to the management interface.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly requires changing default authenticators prior to first use, preventing attackers from exploiting the predefined default password for the built-in authentication account.

AC-2 Account Management good match
prevent

Mandates management of system accounts including disabling unnecessary accounts, reviewing for compliance, and handling default credentials to block unauthorized access to the management interface.

CM-6 Configuration Settings good match
prevent

Establishes and enforces baseline configuration settings that prohibit use of default passwords, ensuring the router firmware does not allow unchanged predefined credentials during initial setup.

Security SummaryAI

CVE-2026-24429 is a high-severity vulnerability (CVSS v3.1 score of 9.8) in the firmware of the Shenzhen Tenda W30E V2 router, affecting versions up to and including V16.01.0.19(5037). The issue stems from a predefined default password for a built-in authentication account that is not required to be changed during initial configuration, classified under CWE-1393. Published on 2026-01-26, it enables attackers to use these static credentials to access the device's management interface.

The vulnerability can be exploited by any unauthenticated remote attacker over the network (AV:N/AC:L/PR:N/UI:N), requiring no privileges, user interaction, or complex setup. Successful exploitation provides authenticated access to the management interface, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), such as executing arbitrary commands, modifying configurations, or disrupting device operations.

Advisories, including the VulnCheck report at https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account, highlight the hardcoded nature of the credentials. Mitigation involves immediately changing the default password on affected devices and checking the Tenda product page at https://www.tendacn.com/product/W30E for firmware updates that may resolve the issue.

Details

CWE(s)
CWE-1393

Affected Products

tenda
w30e firmware
≤ 16.01.0.19\(5037\)

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Hardcoded default password enables use of default accounts (T1078.001) for remote access to the public-facing router management interface (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References