The vulnerability arises from the Tenda W30E V2 firmware embedding a hardcoded default password for a built‑in authentication account that is not required to be changed during initial configuration. This flaw allows an attacker to log in with the supplied default credentials, thereby gaining authenticated access to the router's management interface. The impact is classic credential misuse, enabling an attacker to alter device settings, monitor traffic, or use the device as part of a larger attack chain. This weakness maps to CWE-1393, identifying it as a hardcoded or default credential issue.

The affected device is the Shenzhen Tenda Technology Co., Ltd. W30E V2 router. Firmware versions up to and including V16.01.0.19(5037) contain the hardcoded default password. No other manufacturers or product lines are listed as affected.

The CVSS v3.1 score of 9.3 indicates critical severity. Despite the extremely low EPSS (<1%), the threat remains high because an attacker only needs to know or guess a single known credential pair to gain privileged access. The likely attack vector is remote access to the router's web‑based management interface over the LAN or WAN, which many home and small‑office networks expose. Because this shortcut removes the need for credential discovery or exploitation of other software, remediation is crucial even if actual exploitation probabilities are low.