Cyber Resilience

CVE-2026-24436

CriticalPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24436 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Tenda W30E Firmware. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-12 (Audit Record Generation).

Deeper analysis

CVE-2026-24436 is a critical vulnerability in the Shenzhen Tenda W30E V2 router firmware, affecting versions up to and including V16.01.0.19(5037). The issue arises from the lack of rate limiting or account lockout mechanisms on authentication endpoints, which permits unrestricted brute-force attacks against administrative credentials. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.

Any remote attacker with network access to the device can exploit this vulnerability without requiring privileges or user interaction. Successful brute-force attempts allow guessing of administrative credentials, enabling high-impact compromise across confidentiality, integrity, and availability, such as full control over the router's functions.

Mitigation guidance and additional details are available in the Tenda product page at https://www.tendacn.com/product/W30E and the VulnCheck advisory at https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Directly enables unrestricted password guessing against the admin authentication endpoint due to missing rate limiting/lockout.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24430Same product: Tenda W30E
CVE-2026-24429Same product: Tenda W30E
CVE-2025-57085Same product: Tenda W30E
CVE-2026-38834Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2026-38835Same product: Tenda W30E
CVE-2026-32292Shared CWE-307
CVE-2024-9342Shared CWE-307
CVE-2025-36363Shared CWE-307

Affected Assets

tenda
w30e firmware
≤ 16.01.0.19\(5037\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits on consecutive unsuccessful logon attempts with automated lockout or delay actions, directly preventing unrestricted brute-force attacks on administrative credentials.

prevent

SC-5 provides denial-of-service protection mechanisms that mitigate excessive authentication attempts by limiting resource exhaustion from brute-force attacks.

detect

AU-12 generates audit records for unsuccessful logon attempts, enabling detection of brute-force activity against authentication endpoints.

References