CVE-2024-46437

Name of the Vulnerable Software and Affected Versions Tenda W18E version V16.01.0.8(1625)

Description A sensitive information disclosure issue in the web management portal allows an unauthenticated remote attacker to retrieve sensitive configuration information, including WiFi SSID, WiFi password, and base64-encoded administrator credentials, by sending a specially crafted HTTP POST request to the getQuickCfgWifiAndLogin function, bypassing authentication checks.

Recommendations For Tenda W18E version V16.01.0.8(1625), as a temporary workaround, consider disabling the getQuickCfgWifiAndLogin function until a patch is available. Restrict access to the web management portal to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.