📦

w30e

Vendor: tenda

Login to add this product to WatchStack
Actively Exploited 0 CISA KEV List
PoC / Exploits 1 Code Available
Total RCEs 40 Remote Access
Total CVEs 80 Total Indexed
Avg. EPSS 0.75% Exploit Prob.
Latest CVE CVE-2026-38835 Apr 21

Security Vulnerability Index

Page 2 / 8
8.2 CVSS
CVE-2026-24430

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception.

EPSS: 0.06%
9.3 CVSS
CVE-2026-24429

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface.

EPSS: 0.14%
8.7 CVSS
CVE-2026-24428

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.

EPSS: 0.07%
7.5 CVSS
CVE-2025-57086

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

EPSS: 0.14%
9.8 CVSS
CVE-2025-57085

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

EPSS: 0.15%
7.5 CVSS
CVE-2025-57087

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the countryCode parameter in the werlessAdvancedSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

EPSS: 0.14%
8.0 CVSS
CVE-2024-52789

Tenda W30E v2.0 V16.01.0.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root.

EPSS: 0.18%
8.8 CVSS
CVE-2024-4171

A vulnerability classified as critical has been found in Tenda W30E 1.0/1.0.1.25. Affected is the function fromWizardHandle of the file /goform/WizardHandle. The manipulation of the argument PPW leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-261990 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

EPSS: 0.27%
8.0 CVSS
CVE-2024-32293

Tenda W30E v1.0 V1.0.1.25(633) firmware has a stack overflow vulnerability via the page parameter in the fromDhcpListClient function.

EPSS: 5.85%
8.8 CVSS
CVE-2024-32292
RCE

Tenda W30E v1.0 V1.0.1.25(633) firmware contains a command injection vulnerablility in the formexeCommand function via the cmdinput parameter.

EPSS: 1.03%