Tenda W30E V2 Allows Password Changes Without Verifying Current Password

Advisories

severity: high
date: January 26, 2026
Affecting: W30E V2 firmware <= v16.01.0.19(5037)
CVE: CVE-2026-24440
CWE: CWE-620 Unverified Password Change
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Tenda Product Webpage
Credit: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.
Description: Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained.