Command Injection Vulnerability in Tenda RX2 Pro by Tenda
CVE-2025-46628

7.3HIGH

Key Information:

Vendor: Tenda
Status: Tenda RX2 Pro
Vendor: CVE Published:; 1 May 2025

Summary

A critical input validation flaw in the 'ate' management service of the Tenda RX2 Pro 16.03.30.14 permits remote attackers to exploit the device. By sending a specially crafted UDP packet to the enabled 'ate' service, attackers can gain root shell access without the need for authentication, leading to potential unauthorized control over the device.

References

https://www.tendacn.com/us/default.html

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pr...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2025