CVE-2026-24428

Name of the Vulnerable Software and Affected Versions Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037)

Description The firmware contains an authorization flaw within the user management API. A low-privileged authenticated user can alter the administrator account password by submitting a specially crafted request to the backend endpoint. This bypasses role-based access controls enforced by the web interface, potentially granting an attacker full administrative privileges. The vulnerable API endpoint allows unauthorized modification of administrative credentials.

Recommendations Update firmware to a version later than V16.01.0.19(5037).