Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials.
Published: 2026-01-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Administrative Credential Disclosure
Action: Patch Immediately
AI Analysis

Impact

Shenzhen Tenda firmware up to V16.01.0.19 displays stored user account passwords in plaintext within the administrative web interface. The flaw discloses administrative credentials to any user who can access the affected management pages, exposing sensitive login information and compromising the confidentiality of device control.

Affected Systems

The vulnerability affects Shenzhen Tenda Technology Co., Ltd. W30E V2 routers running firmware versions up to V16.01.0.19(5037). Network administrators or anyone with web‑interface access to these devices can view the cleartext passwords.

Risk and Exploitability

The CVSS vector scores the issue at 7.1, indicating a high impact when exploited. EPSS is below 1 %, suggesting a low probability of exploitation, and it is not listed in CISA’s KEV catalog. The likely attack vector is local or remote access to the administrative web interface, which provides direct visibility into stored credentials. Once exposed, the attacker can use the passwords to gain full control over the device or attempt credential stuffing against other services.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Shenzhen Tenda that removes the cleartext password display. It is the most authoritative fix and should be deployed as a priority.
  • If an immediate firmware upgrade is unavailable, restrict access to the administrative interface by firewall rules or VLAN segmentation to limit who can reach the web UI. This reduces the exposure surface for potential attackers.
  • Enforce a strong password policy and periodically change administrative credentials; use complex, unique passwords to mitigate the risk if any credentials are exposed.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials.
Title Tenda W30E V2 Web UI Reveals Passwords in Cleartext
Weaknesses CWE-317
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:32.749Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24431

cve-icon Vulnrichment

Updated: 2026-01-26T21:07:35.228Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:40.567

Modified: 2026-01-28T20:14:45.130

Link: CVE-2026-24431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses