CVE-2024-46430

Name of the Vulnerable Software and Affected Versions Tenda W18E version 16.01.0.8(1625)

Description The issue concerns an incorrect access control mechanism. It allows an unauthenticated remote attacker to change the administrator password through the web management portal by sending a specially crafted HTTP POST request to the setLoginPassword function, effectively bypassing the authentication mechanism.

Recommendations For Tenda W18E version 16.01.0.8(1625), as a temporary workaround, consider restricting access to the setLoginPassword function until a patch is available. Additionally, limit access to the web management portal to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.