CVE-2026-24429
Published: 26 January 2026
Summary
CVE-2026-24429 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Tenda W30E Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing attackers from exploiting the predefined default password for the built-in authentication account.
Mandates management of system accounts including disabling unnecessary accounts, reviewing for compliance, and handling default credentials to block unauthorized access to the management interface.
Establishes and enforces baseline configuration settings that prohibit use of default passwords, ensuring the router firmware does not allow unchanged predefined credentials during initial setup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default password enables use of default accounts (T1078.001) for remote access to the public-facing router management interface (T1190).
NVD Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to…
more
gain authenticated access to the management interface.
Deeper analysisAI
CVE-2026-24429 is a high-severity vulnerability (CVSS v3.1 score of 9.8) in the firmware of the Shenzhen Tenda W30E V2 router, affecting versions up to and including V16.01.0.19(5037). The issue stems from a predefined default password for a built-in authentication account that is not required to be changed during initial configuration, classified under CWE-1393. Published on 2026-01-26, it enables attackers to use these static credentials to access the device's management interface.
The vulnerability can be exploited by any unauthenticated remote attacker over the network (AV:N/AC:L/PR:N/UI:N), requiring no privileges, user interaction, or complex setup. Successful exploitation provides authenticated access to the management interface, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), such as executing arbitrary commands, modifying configurations, or disrupting device operations.
Advisories, including the VulnCheck report at https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account, highlight the hardcoded nature of the credentials. Mitigation involves immediately changing the default password on affected devices and checking the Tenda product page at https://www.tendacn.com/product/W30E for firmware updates that may resolve the issue.
Details
- CWE(s)