Sensitive Information Exposure in Tenda RX2 Pro Web Management Portal
CVE-2025-46634

8.2HIGH

Key Information:

Vendor: Tenda
Status: RX2 Pro
Vendor: CVE Published:; 1 May 2025

Summary

The Tenda RX2 Pro web management portal is susceptible to a security vulnerability where sensitive information is transmitted in cleartext. This flaw allows unauthenticated attackers to intercept credentials as they are sent over the network. Although the product implements encryption for user authentication, it fails to secure the password hash until after it has been transmitted in cleartext, enabling attackers to replay the hash for unauthorized access to the portal. This significant oversight in data handling exposes users to potential credential theft and unauthorized system access.

References

https://www.tendacn.com/us/default.html

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pr...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2025