CVE-2024-46450

High

Published: 16 January 2025

Published

16 January 2025

Modified

07 July 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0012 30.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46450 is a high-severity Missing Authorization (CWE-862) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly preventing authentication bypass via crafted web requests in the router's interface.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and authorizes only specific actions performable without identification or authentication, countering missing authorization that enables unauthorized access.

SI-10 Information Input Validation partial match

prevent

Validates the integrity of web request inputs, mitigating crafted requests that exploit flawed access controls in the router firmware.

NVD Description

Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.

Deeper analysisAI

CVE-2024-46450 is an incorrect access control vulnerability, classified under CWE-862 (Missing Authorization), affecting the Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 running firmware version v15.03.06.50. The issue stems from flawed access controls in the router's web interface, enabling attackers to bypass authentication mechanisms through a specially crafted web request.

The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. Remote attackers require no privileges and can exploit it over the network with low attack complexity, though it demands user interaction, such as clicking a malicious link or visiting a crafted page. Successful exploitation grants high confidentiality and integrity impacts, potentially allowing unauthorized access to sensitive router configurations or data.

Mitigation details are available in the referenced advisory at https://pastebin.com/BXxTqsZk.

Details

CWE(s): CWE-862

Affected Products

tenda

ac6 firmware

15.03.06.50

CVEs Like This One

CVE-2026-4960Same product: Tenda Ac6

CVE-2025-25343Same product: Tenda Ac6

CVE-2026-4961Same product: Tenda Ac6

CVE-2025-29121Same product: Tenda Ac6

CVE-2025-70252Same product: Tenda Ac6

CVE-2025-52221Same product: Tenda Ac6

CVE-2025-12225Same product: Tenda Ac6

CVE-2025-7914Same product: Tenda Ac6

CVE-2025-29029Same product: Tenda Ac6

CVE-2025-29030Same product: Tenda Ac6

References

https://pastebin.com/BXxTqsZk
Third Party Advisory · cve@mitre.org