Vendor: Tenda (Shenzhen Tenda Technology Co., Ltd.)
Product: Tenda W30EV2.0 Wireless Router
Firmware Version: V16.01.0.21
Discovered by: 0xh3y3
Discovery Date: 2026-03-29
Status: Awaiting CVE assignment
File: repo_1.md
Multiple endpoints in the httpd web server lack authentication checks, allowing an unauthenticated remote attacker to reset the administrator password and fully take over device management.
Affected endpoints:
/goform/setLoginPassword/goform/initAdminUser/goform/setIspConfig
CWE: CWE-306 (Missing Authentication for Critical Function)
CVSS v3: 9.8 (Critical)
File: repo_2.md
The formSwitchImsMode function (at address 0x952e0) in httpd passes the user-controlled macAddr parameter directly as a format string argument, leading to a format string vulnerability that can be leveraged for memory disclosure or arbitrary write.
Affected endpoint: /goform/module → setSwitchImsMode
CWE: CWE-134 (Use of Externally-Controlled Format String)
CVSS v3: 8.0 (High)
| Date | Event |
|---|---|
| 2026-03-29 | Vulnerabilities discovered |
| 2026-03-29 | Reported to vendor (support@tenda.cn) |
| 2026-03-29 | Submitted to CNVD |
| 2026-03-29 | CVE requested via GitHub Security Advisory |
PoC HTTP requests are included in each report file. Use only against devices you own or have explicit authorization to test.