Tenda W30E V2 Authorization Flaw Allows Password Change for Administrator Account

Vulnerability

An authorization vulnerability has been identified in the user management API of the Tenda W30E V2 router, affecting firmware versions through V16.01.0.19(5037). This flaw allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request to the backend endpoint, an attacker can bypass the role-based restrictions of the web interface and gain full administrative privileges.

Impact

Exploitation of this vulnerability allows for unauthorized password changes on the administrator account, potentially leading to unauthorized administrative access.

Added: Jan 26, 2026, 6:30 PM

Updated: Jan 26, 2026, 6:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

0.0

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

0.0

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda W30E V2 Authorization Flaw Allows Password Change for Administrator Account

Vulnerability

Impact

Affected Products

Shenzhen Tenda W30E V2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating