CVE-2026-24440

HighPublic PoC

Published: 26 January 2026

Published

26 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24440 is a high-severity Unverified Password Change (CWE-620) vulnerability in Tenda W30E Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Manipulation (T1098). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-11 Re-authentication good match

prevent

Requires re-authentication prior to privileged operations like password changes, directly preventing unauthorized modifications without verifying existing credentials.

IA-5 Authenticator Management good match

prevent

Mandates secure authenticator management including identity verification before changing passwords, addressing the lack of existing password verification in the maintenance interface.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, testing, and installation of firmware updates to remediate the specific vulnerability allowing unauthorized password changes.

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthorized password changes on administrative accounts via the exposed maintenance interface (with low-priv access), directly facilitating account manipulation for device takeover.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is…

obtained.

Deeper analysisAI

CVE-2026-24440 is a vulnerability in the firmware of the Shenzhen Tenda W30E V2 router, affecting versions up to and including V16.01.0.19(5037). It enables attackers to change account passwords via the maintenance interface without requiring verification of the existing password. The issue, published on 2026-01-26, is mapped to CWE-620 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires low privileges (PR:L) and network access (AV:N) to the affected endpoint, with low attack complexity and no user interaction needed. Once access to the maintenance interface is obtained, an attacker can perform unauthorized password changes, compromising administrative accounts and achieving high impacts on confidentiality, integrity, and availability, such as full device takeover.

Mitigation guidance is available in vendor and advisory resources, including the Tenda product page at https://www.tendacn.com/product/W30E and the VulnCheck advisory at https://www.vulncheck.com/advisories/tenda-w30e-v2-allows-password-change-without-verifying-current-password.