CVE-2024-46432

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46432 is a high-severity Improper Access Control (CWE-284) vulnerability in Tenda W18E Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to block unauthorized HTTP POST requests to the setQuickCfgWifiAndLogin function that modify WiFi settings and admin credentials.

SI-2 Flaw Remediation good match

preventrecover

Remediates the specific access control flaw in Tenda W18E firmware V16.01.0.8(1625) through timely installation of vendor patches or updates.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Prohibits sensitive actions like WiFi reconfiguration and admin credential changes without identification and authentication, directly countering the permitted unauthorized access.

NVD Description

Tenda W18E V16.01.0.8(1625) is vulnerable to Incorrect Access Control. An attacker can send a specially crafted HTTP POST request to the setQuickCfgWifiAndLogin function, which allows unauthorized changes to WiFi configuration settings and administrative credentials.

Deeper analysisAI

CVE-2024-46432 is an Incorrect Access Control vulnerability (CWE-284) affecting the Tenda W18E router on firmware version V16.01.0.8(1625). The issue resides in the setQuickCfgWifiAndLogin function, where an attacker can send a specially crafted HTTP POST request to bypass authorization checks. This enables unauthorized modifications to WiFi configuration settings and administrative credentials without proper authentication.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation from an adjacent network with low complexity and no required privileges or user interaction. An attacker on the same local network segment, such as via WiFi or Ethernet proximity, can remotely alter critical device settings. This grants high-impact control over confidentiality, integrity, and availability, allowing the attacker to reconfigure WiFi SSIDs/passwords, reset admin accounts, and potentially lock out legitimate users or pivot to further network compromise.

Mitigation details are available in the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research, published alongside the CVE on 2025-02-10. Practitioners should consult this reference for any recommended patches, firmware updates, or workarounds specific to the Tenda W18E.

Details

CWE(s): CWE-284

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

CVEs Like This One

CVE-2024-46434Same product: Tenda W18E

CVE-2024-46435Same product: Tenda W18E

CVE-2024-46436Same product: Tenda W18E

CVE-2024-46433Same product: Tenda W18E

CVE-2024-46431Same product: Tenda W18E

CVE-2024-46429Same product: Tenda W18E

CVE-2025-63666Same vendor: Tenda

CVE-2026-30140Same vendor: Tenda

CVE-2026-2148Same vendor: Tenda

CVE-2026-5526Same vendor: Tenda

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org