CVE-2024-46433

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0097 76.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46433 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Tenda W18E Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match

prevent

AC-2 requires organizations to change default authenticators and manage accounts, directly preventing exploitation of the factory default 'rzadmin' credentials.

IA-5 Authenticator Management good match

prevent

IA-5 mandates changing default authenticators prior to first use and proper management of passwords, comprehensively addressing the hardcoded default credentials vulnerability.

CM-6 Configuration Settings good match

prevent

CM-6 ensures secure baseline configuration settings are implemented and monitored, including modification of default credentials on the router's web management portal.

NVD Description

A default credentials vulnerability in Tenda W18E V16.01.0.8(1625) allows unauthenticated remote attackers to access the web management portal using the default rzadmin account with administrative privileges.

Deeper analysisAI

CVE-2024-46433 is a default credentials vulnerability (CWE-798) in the Tenda W18E router firmware version V16.01.0.8(1625). It enables unauthenticated remote attackers to access the web management portal using the default "rzadmin" account, which possesses administrative privileges. The issue carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-10.

An attacker with access to the adjacent network can exploit this vulnerability with low complexity and no required privileges or user interaction. Upon logging in with the default credentials, the attacker gains administrative control over the device, potentially allowing high-impact confidentiality, integrity, and availability compromises, such as modifying configurations, extracting sensitive data, or disrupting network operations.

Mitigation details are available in the security research advisory at https://reddassolutions.com/blog/tenda_w18e_security_research.

Details

CWE(s): CWE-798

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

CVEs Like This One

CVE-2024-46436Same product: Tenda W18E

CVE-2024-46429Same product: Tenda W18E

CVE-2024-46434Same product: Tenda W18E

CVE-2024-46435Same product: Tenda W18E

CVE-2024-46432Same product: Tenda W18E

CVE-2024-46431Same product: Tenda W18E

CVE-2026-1610Same vendor: Tenda

CVE-2025-1898Same vendor: Tenda

CVE-2025-15007Same vendor: Tenda

CVE-2026-38835Same vendor: Tenda

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org