The vulnerability allows an attacker who has reached the maintenance interface of the Tenda W30E V2 router to change an account password without first providing the existing password. This omission of credential verification enables the attacker to replace legitimate passwords, effectively taking control of an account or locking out the original user. The weakness is a classic instance of improper credential verification (CWE‑620) and could be used to subvert administrative access, disrupt services, or facilitate further attacks against the network.

Shenzhen Tenda Technology Co., Ltd. routers, specifically the W30E V2 model with firmware versions up to V16.01.0.19(5037). Only firmware versions prior to this are affected; newer releases are presumed to have fixed the issue.

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1 % suggests the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote or local access to the device’s maintenance web interface, where an authorised user normally changes passwords; attackers could exploit an unauthenticated or session‑hijacked connection to perform the change without authentication. The risk is elevated for devices exposed to wide networks or with weak default credentials.