Shenzhen Tenda W30E V2 devices running firmware up through V16.01.0.19(5037) expose administrative endpoints with a permissive Cross‑Origin Resource Sharing policy. The firmware sets Access‑Control‑Allow‑Origin: * together with Access‑Control‑Allow‑Credentials: true, permitting any origin to issue authenticated requests and read sensitive responses. This flaw enables an attacker who can send cross‑origin requests from a controlled web page to the device to retrieve confidential configuration data or other privileged information without needing to compromise the device directly.

The vulnerability affects the Shenzhen Tenda W30E V2 router. All firmware releases up to and including V16.01.0.19(5037) are impacted. Devices running newer firmware versions that have removed or limited the permissive CORS policy are not affected.

The CVSS base score of 7.1 indicates a high severity of the issue. EPSS indicates that the exploitation likelihood is lower than 1%, suggesting this flaw is not widely exploited currently. The vulnerability is not listed in the CISA KEV catalog, so it has not been reported as a known active exploit. An attacker would typically need access to a browser environment that can direct requests to the device, such as a local network or a compromised machine that can reach the router. Once the attacker gains the ability to induce credentialed cross‑origin requests, they can read responses from administrative endpoints, leading to significant confidentiality compromise.