CVE-2026-24432
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-01-28

Assigner: VulnCheck

Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24432
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda w30e_firmware to 16.01.0.19\(5037\) (inc)
tenda w30e *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Shenzhen Tenda W30E V2 router firmware up to version V16.01.0.19(5037). It occurs because administrative endpoints, including those used to change administrator account credentials, lack CSRF protections. An attacker can craft malicious requests that, when triggered by an authenticated user's browser, can change administrative passwords and other configuration settings without authorization. [1]

Impact Analysis

This vulnerability can allow an attacker to modify administrative passwords and configuration settings on the affected router without authorization. This could lead to unauthorized access or changes to the router's configuration, potentially compromising network security. However, the impact on confidentiality and availability is not significant, with a low integrity impact. [1]

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unexpected changes to administrative settings on the Tenda W30E V2 router, especially changes to administrator account credentials. Since the vulnerability is a CSRF issue affecting administrative endpoints, one approach is to inspect HTTP requests to the router's administrative interface for suspicious POST requests that change configuration without proper CSRF tokens. Network traffic capture tools like Wireshark or tcpdump can be used to analyze such requests. However, no specific detection commands or signatures are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Tenda W30E V2 router firmware to a version later than V16.01.0.19(5037) where the CSRF protections are implemented. If an update is not available, restrict access to the router's administrative interface to trusted networks only, avoid using the router's web interface from untrusted devices, and educate users to avoid clicking on suspicious links while authenticated to the router. Additionally, consider resetting administrator credentials after applying mitigations to ensure no unauthorized changes persist. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart