Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings.
Published: 2026-01-26
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized alteration of router configuration via cross-site request forgery
Action: Patch Firmware
AI Analysis

Impact

Shenzhen Tenda W30E V2 firmware versions up to V16.01.0.19(5037) do not protect administrative endpoints against cross‑site request forgery. An attacker can craft a malicious request that, when executed by a browser of an authenticated user, changes administrator passwords and other configuration settings. The vulnerability enables unauthorized modification of device settings and can lead to loss of administrative control.

Affected Systems

The affected device is the Shenzhen Tenda W30E V2 router. Firmware versions V16.01.0.19(5037) and earlier are vulnerable. The product is listed in the Tenda company catalogue and is commonly deployed in home and small‑office networks.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% shows a very low likelihood of current exploitation, and the vulnerability is not present in the CISA KEV catalog. The attack vector is inferred to be a browser‑based CSRF, requiring an authenticated user to visit a specially crafted URL. The vulnerability domain is alignment with CWE‑352: Cross‑Site Request Forgery.

Generated by OpenCVE AI on April 16, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest firmware release that includes CSRF protection for administrative endpoints.
  • If a firmware update is not available, restrict or block external access to the router’s administrative web interface using a firewall or device ACL.
  • Disable remote administration or enforce strict authentication policies to limit the number of authenticated sessions that could be exploited.

Generated by OpenCVE AI on April 16, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings.
Title Tenda W30E V2 Missing CSRF Protections for Administrative Actions
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:33.591Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24432

cve-icon Vulnrichment

Updated: 2026-01-26T20:52:52.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:40.713

Modified: 2026-01-28T20:11:24.923

Link: CVE-2026-24432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses