Tenda W18E Incorrect Access Control Vulnerability Allowing Unauthorized Password Changes

Vulnerability

An incorrect access control vulnerability has been identified in the Tenda W18E router, specifically in version 16.01.0.8(1625). This vulnerability allows an unauthenticated remote attacker to change the administrator password through the web management portal. The issue arises by sending a specially crafted HTTP POST request to the setLoginPassword function, effectively bypassing the authentication mechanism.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized administrative access on the device.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda W18E Incorrect Access Control Vulnerability Allowing Unauthorized Password Changes

Vulnerability

Impact

Affected Products

Tenda W18E

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating