AES Key Reuse Vulnerability in Tenda RX2 Pro by Tenda
CVE-2025-46626

7.3HIGH

Key Information:

Vendor: Tenda
Status: Tenda RX2 Pro
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-46626?

A vulnerability exists in the Tenda RX2 Pro where a static AES key and initialization vector are reused for encrypted communication with the 'ate' management service. This design flaw allows potential attackers to decrypt traffic, replay communications, or forge messages, compromising the integrity and confidentiality of the affected service. This issue is critical for users relying on secure data transmission for IoT functionalities, as it opens the door to various cyberattacks.

References

https://www.tendacn.com/us/default.html

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pr...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025