Cyber Resilience

CVE-2024-46429

HighPublic PoC

Published: 10 February 2025

Published
10 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46429 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Tenda W18E Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2024-46429 is a hardcoded credentials vulnerability (CWE-798) affecting the Tenda W18E router running firmware version V16.01.0.8(1625). The issue stems from a default guest account that grants administrative privileges to the web management portal, enabling unauthenticated remote access without requiring authentication.

Attackers on an adjacent network (AV:A) can exploit this vulnerability with low complexity (AC:L) and no privileges (PR:N), requiring no user interaction (UI:N). Successful exploitation provides high-impact access to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8. This allows full administrative control over the device, potentially leading to further network compromise.

Mitigation details are available in the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research, published on 2025-02-10.

EU & UK References

Vulnerability details

A hardcoded credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using a default guest account with administrative privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Hardcoded default guest account with admin privileges directly enables use of valid/default accounts (T1078.001) for initial access via the router's external web management service (T1133).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46436Same product: Tenda W18E
CVE-2024-46433Same product: Tenda W18E
CVE-2024-46431Same product: Tenda W18E
CVE-2024-46434Same product: Tenda W18E
CVE-2024-46435Same product: Tenda W18E
CVE-2024-46432Same product: Tenda W18E
CVE-2026-1610Same vendor: Tenda
CVE-2020-37092Shared CWE-798
CVE-2026-28777Shared CWE-798
CVE-2026-23647Shared CWE-798

Affected Assets

tenda
w18e firmware
16.01.0.8\(1625\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 mandates management of system accounts, including disabling unnecessary default accounts like the hardcoded guest account with administrative privileges.

prevent

IA-5 requires proper management of authenticators, preventing the use of hardcoded or default credentials that enable unauthenticated access.

prevent

CM-6 enforces secure configuration settings, such as changing default credentials and restricting access to the web management portal.

References