AES Key Reuse Vulnerability in Tenda RX2 Pro by Tenda
CVE-2025-46626

7.3HIGH

Key Information:

Vendor
Tenda
Status
Tenda RX2 Pro
Vendor
CVE Published:
1 May 2025

Summary

A vulnerability exists in the Tenda RX2 Pro where a static AES key and initialization vector are reused for encrypted communication with the 'ate' management service. This design flaw allows potential attackers to decrypt traffic, replay communications, or forge messages, compromising the integrity and confidentiality of the affected service. This issue is critical for users relying on secure data transmission for IoT functionalities, as it opens the door to various cyberattacks.

References

https://www.tendacn.com/us/default.html
https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pr...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.