Cyber Posture

CVE-2026-24436

CriticalPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24436 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Tenda W30E Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-12 (Audit Record Generation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

AC-7 enforces limits on consecutive unsuccessful logon attempts with automated lockout or delay actions, directly preventing unrestricted brute-force attacks on administrative credentials.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 provides denial-of-service protection mechanisms that mitigate excessive authentication attempts by limiting resource exhaustion from brute-force attacks.

AU-12 Audit Record Generation partial match
detect

AU-12 generates audit records for unsuccessful logon attempts, enabling detection of brute-force activity against authentication endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

Directly enables unrestricted password guessing against the admin authentication endpoint due to missing rate limiting/lockout.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.

Deeper analysisAI

CVE-2026-24436 is a critical vulnerability in the Shenzhen Tenda W30E V2 router firmware, affecting versions up to and including V16.01.0.19(5037). The issue arises from the lack of rate limiting or account lockout mechanisms on authentication endpoints, which permits unrestricted brute-force attacks against administrative credentials. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.

Any remote attacker with network access to the device can exploit this vulnerability without requiring privileges or user interaction. Successful brute-force attempts allow guessing of administrative credentials, enabling high-impact compromise across confidentiality, integrity, and availability, such as full control over the router's functions.

Mitigation guidance and additional details are available in the Tenda product page at https://www.tendacn.com/product/W30E and the VulnCheck advisory at https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication.

Details

CWE(s)
CWE-307

Affected Products

tenda
w30e firmware
≤ 16.01.0.19\(5037\)

CVEs Like This One

CVE-2026-38835Same product: Tenda W30E
CVE-2025-57085Same product: Tenda W30E
CVE-2026-24430Same product: Tenda W30E
CVE-2026-24429Same product: Tenda W30E
CVE-2026-38834Same product: Tenda W30E
CVE-2026-24440Same product: Tenda W30E
CVE-2026-24428Same product: Tenda W30E
CVE-2024-9342Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2025-58587Shared CWE-307

References