CVE-2026-24428
Published: 26 January 2026
Summary
CVE-2026-24428 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Tenda W30E Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly preventing low-privileged users from bypassing role-based restrictions to change the administrator password via the API endpoint.
Requires explicit authorization decisions for access to system resources by defined roles, countering the role-based access control bypass in the user management API.
Employs least privilege to restrict low-privileged users from performing administrative actions such as changing the administrator password.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization bypass in the router's management API that directly allows a low-privileged authenticated user to escalate to full administrative privileges by changing the admin password; this maps cleanly to Exploitation for Privilege Escalation (T1068).
NVD Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the…
more
backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.
Deeper analysisAI
CVE-2026-24428 is an authorization vulnerability (CWE-863: Incorrect Authorization) in the user management API of the Shenzhen Tenda W30E V2 router firmware, affecting versions up to and including V16.01.0.19(5037). The flaw enables a low-privileged authenticated user to bypass role-based access restrictions enforced by the web interface. By sending a crafted request directly to the backend endpoint, the attacker can change the administrator account password and elevate their privileges to full administrative access. The vulnerability was published on 2026-01-26 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires a low-privileged authenticated account with network access to the device. An attacker can remotely trigger the issue with low attack complexity and no user interaction, crafting a specific request to the API endpoint. Upon success, the attacker gains complete administrative control over the router, potentially enabling further compromise such as network pivoting, data exfiltration, or persistent access.
Mitigation guidance is available in vendor and advisory resources, including the Tenda product page at https://www.tendacn.com/product/W30E and the VulnCheck advisory at https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change. Security practitioners should consult these for details on patches, workarounds, or firmware updates.
Details
- CWE(s)