CRITICAL🇵🇱 Wersja polska

CVE-2026-38835

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-04-27

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

🤖 AI Analysis
How it works

The vulnerability results from improper validation and sanitization of the usbPartitionName parameter passed to the formSetUSBPartitionUmount function. An attacker can craft a malicious request containing injected system commands that will be executed by the device in the context of its operating system. The attack requires no authentication or user interaction, and the attack vector is network-based, which significantly increases the risk.

Impact

An attacker can gain full control over the device by remotely executing arbitrary system commands, leading to violations of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until a fix is released, it is recommended to restrict access to the device management interface only to trusted hosts and isolate the device from untrusted networks.

Who is affected

Tenda W30E V2.0 with firmware version V16.01.0.21

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tenda W30e

    HW
    Tenda
    2.0
  • Tenda W30e Firmware

    OS
    Tenda
    16.01.0.21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-24429CRITICAL9.3PL ✓ten sam produkt

Tenda W30E V2 — predefiniowane domyślne hasło w firmware umożliwia nieautoryzowany dostęp

CVE-2026-24436CRITICAL9.2PL ✓ten sam produkt

Brak ograniczenia prób logowania w Tenda W30E — atak brute-force

CVE-2025-57085CRITICAL9.8PL ✓ten sam produkt

Tenda W30E — stack overflow w funkcji UploadCfg (parametr v17)

CVE-2024-32286CRITICAL9.8PL ✓ten sam produkt

Stack overflow w Tenda W30E przez parametr 'page' w funkcji fromVirtualSer

CVE-2023-49403CRITICAL9.8PL ✓ten sam produkt

Command injection w routerze Tenda W30E poprzez funkcję setFixTools