Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.
Published: 2026-01-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext credential disclosure via unencrypted HTTP responses
Action: Patch Update
AI Analysis

Impact

Shenzhen Tenda W30E V2 firmware releases through V16.01.0.19(5037) expose account credentials in cleartext within HTTP responses generated by the maintenance interface. This flaw allows sensitive information leakage and violates confidentiality. The weakness is a known data‑exposure vulnerability (CWE-201).

Affected Systems

The affected product is the Tenda W30E V2 router from Shenzhen Tenda Technology Co., Ltd. Version families up to and including firmware V16.01.0.19(5037) are impacted. These devices expose credentials for the local management interface via HTTP.

Risk and Exploitability

The CVSS v3 base score of 8.2 classifies this as a high‑severity flaw. EPSS indicates a very low exploitation probability (<1 %) and it is not listed in the CISA KEV catalog. Attackers would need to be on the same networking segment to intercept unencrypted HTTP traffic to the device’s maintenance interface; no elevated privileges or code execution are required. The risk is concentrated on confidentiality compromise rather than denial of service or availability impacts.

Generated by OpenCVE AI on April 16, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Tenda firmware update (V16.01.0.19(5037) or later) to eliminate the plaintext credential leakage.
  • Reconfigure the router to use HTTPS for the management interface or disable HTTP access entirely.
  • Restrict the management interface to a trusted internal subnet or firewall rule to prevent external network traffic from reaching the interface.

Generated by OpenCVE AI on April 16, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.
Title Tenda W30E V2 HTTP Responses Expose Plaintext Credentials
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:31.966Z

Reserved: 2026-01-22T20:23:19.802Z

Link: CVE-2026-24430

cve-icon Vulnrichment

Updated: 2026-01-26T18:50:59.780Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:40.423

Modified: 2026-01-28T20:16:51.880

Link: CVE-2026-24430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses