Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.
Published: 2026-01-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized credential storage and theft via cached admin pages
Action: Apply patch
AI Analysis

Impact

Shenzhen Tenda W30E V2 firmware through V16.01.0.19 serves sensitive administrative content without proper cache‑control headers. This omission allows browsers to store credential‑bearing responses, enabling anyone who can later access the browser cache to retrieve administrative credentials. The vulnerability does not grant arbitrary code execution but exposes stored credentials to subsequent unauthorized use.

Affected Systems

The affected devices are Tenda W30E V2 routers manufactured by Shenzhen Tenda Technology Co., Ltd. All firmware releases up to and including V16.01.0.19 (item number 5037) are vulnerable; newer firmware codes are not documented as affected.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact. The low EPSS (<1%) reflects that exploitation is unlikely in the wild, and the vulnerability is not currently in CISA's KEV catalog. The attack scenario requires an attacker to persuade a legitimate user to load an administrative page in a browser that then preserves the response offline; thereafter the attacker or an opportunistic third party can retrieve cached credentials. Because the flaw only affects cached local content, the risk is confined to environments where users leave credentials stored or share machines.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version where the cache‑control fix for credential‑bearing pages has been applied.
  • If an update is unavailable, configure the device or your network to disable local caching for administrative interfaces, or delete browser caches that may contain sensitive content.
  • Enforce strict access controls on the router’s administration portal, use HTTPS with HSTS, and disable or monitor any use of legacy insecure protocols.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access.
Title Tenda W30E V2 Missing Cache Controls for Credential-bearing Pages
Weaknesses CWE-525
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:38.123Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24437

cve-icon Vulnrichment

Updated: 2026-01-26T21:06:46.201Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:41.317

Modified: 2026-01-28T19:49:11.033

Link: CVE-2026-24437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses