Cyber Resilience

CVE-2026-24429

CriticalPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24429 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Tenda W30E Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-24429 is a high-severity vulnerability (CVSS v3.1 score of 9.8) in the firmware of the Shenzhen Tenda W30E V2 router, affecting versions up to and including V16.01.0.19(5037). The issue stems from a predefined default password for a built-in authentication account that is not required to be changed during initial configuration, classified under CWE-1393. Published on 2026-01-26, it enables attackers to use these static credentials to access the device's management interface.

The vulnerability can be exploited by any unauthenticated remote attacker over the network (AV:N/AC:L/PR:N/UI:N), requiring no privileges, user interaction, or complex setup. Successful exploitation provides authenticated access to the management interface, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), such as executing arbitrary commands, modifying configurations, or disrupting device operations.

Advisories, including the VulnCheck report at https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account, highlight the hardcoded nature of the credentials. Mitigation involves immediately changing the default password on affected devices and checking the Tenda product page at https://www.tendacn.com/product/W30E for firmware updates that may resolve the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to…

more

gain authenticated access to the management interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded default password enables use of default accounts (T1078.001) for remote access to the public-facing router management interface (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38834Same product: Tenda W30E
CVE-2026-38835Same product: Tenda W30E
CVE-2026-24436Same product: Tenda W30E
CVE-2026-24430Same product: Tenda W30E
CVE-2025-57085Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda

Affected Assets

tenda
w30e firmware
≤ 16.01.0.19\(5037\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing default authenticators prior to first use, preventing attackers from exploiting the predefined default password for the built-in authentication account.

prevent

Mandates management of system accounts including disabling unnecessary accounts, reviewing for compliance, and handling default credentials to block unauthorized access to the management interface.

prevent

Establishes and enforces baseline configuration settings that prohibit use of default passwords, ensuring the router firmware does not allow unchanged predefined credentials during initial setup.

References