Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.
Published: 2026-01-26
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted brute‑force authentication to admin credentials
Action: Patch
AI Analysis

Impact

The firmware versions of Shenzhen Tenda W30E V2 up to and including V16.01.0.19(5037) fail to enforce rate limiting or account lockout on authentication endpoints. This flaw allows attackers to attempt unlimited login attempts against administrative credentials.

Affected Systems

The vulnerability affects devices manufactured by Shenzhen Tenda Technology Co., Ltd, specifically the W30E V2 router model whose firmware is version V16.01.0.19(5037) or earlier.

Risk and Exploitability

A CVSS score of 9.2 indicates high severity, but the EPSS score of less than 1 percent suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The primary attack vector is a remote, unauthenticated brute‑force effort against the router’s web or command‑line authentication interfaces, enabled by the absence of rate limiting and lockout mechanisms.

Generated by OpenCVE AI on April 18, 2026 at 02:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to a version released after V16.01.0.19(5037) that implements authentication rate limiting and account lockout.
  • Restrict external access to the administrative interfaces by configuring the device’s firewall or applying VLAN segmentation, allowing only trusted IP addresses.
  • Set a strong, unique administrative password and avoid using factory default credentials.

Generated by OpenCVE AI on April 18, 2026 at 02:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials.
Title Tenda W30E V2 Lacks Rate Limiting on Authentication
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:37.277Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24436

cve-icon Vulnrichment

Updated: 2026-01-26T21:05:53.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:41.167

Modified: 2026-01-28T19:57:17.200

Link: CVE-2026-24436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses