Cleartext Transmission Vulnerability in Tenda RX2 Pro Web Management Portal
CVE-2025-46633

8.2HIGH

Key Information:

Vendor: Tenda
Status: RX2 Pro
Vendor: CVE Published:; 1 May 2025

Summary

The Tenda RX2 Pro web management portal is susceptible to a vulnerability that allows an attacker to intercept and decrypt sensitive information during transmission. The issue arises from the cleartext transmission of a symmetric AES key following successful authentication, which could lead to exposure of confidential data. Specifically, the Initialization Vector (IV) used in the AES encryption is static, facilitating potential exploitation by attackers who are able to acquire and analyze the unprotected traffic.

References

https://www.tendacn.com/us/default.html

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pr...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2025