CVE-2024-46434

HighPublic PoC

Published: 10 February 2025

Published

10 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46434 is a high-severity Improper Authentication (CWE-287) vulnerability in Tenda W18E Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering authentication bypass in the web management portal.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 requires identification and authentication of organizational users before network access, preventing unauthorized administrative login via crafted HTTP requests.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 prohibits sensitive functions like administrative access without identification and authentication, mitigating bypass vulnerabilities in management interfaces.

NVD Description

Tenda W18E V16.01.0.8(1625) suffers from authentication bypass in the web management portal allowing an unauthorized remote attacker to gain administrative access by sending a specially crafted HTTP request.

Deeper analysisAI

CVE-2024-46434 is an authentication bypass vulnerability affecting the Tenda W18E router running firmware version V16.01.0.8(1625). The flaw resides in the web management portal, where an unauthorized remote attacker can bypass authentication controls by sending a specially crafted HTTP request, granting full administrative access to the device.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication). An attacker with adjacent network access (e.g., on the same local network segment) requires no privileges or user interaction to exploit it. Successful exploitation allows the attacker to achieve high-impact confidentiality, integrity, and availability compromises, such as modifying device configurations, extracting sensitive data, or disrupting network operations.

Details on the vulnerability, including exploitation techniques, are documented in the advisory published by Redda Solutions at https://reddassolutions.com/blog/tenda_w18e_security_research. No specific patches or vendor mitigations are detailed in available information.

Details

CWE(s): CWE-287

Affected Products

tenda

w18e firmware

16.01.0.8\(1625\)

CVEs Like This One

CVE-2024-46435Same product: Tenda W18E

CVE-2024-46436Same product: Tenda W18E

CVE-2024-46433Same product: Tenda W18E

CVE-2024-46432Same product: Tenda W18E

CVE-2024-46431Same product: Tenda W18E

CVE-2024-46429Same product: Tenda W18E

CVE-2026-4252Same vendor: Tenda

CVE-2025-1898Same vendor: Tenda

CVE-2025-15007Same vendor: Tenda

CVE-2026-38835Same vendor: Tenda

References

https://reddassolutions.com/blog/tenda_w18e_security_research
Exploit, Third Party Advisory · cve@mitre.org