Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-46633

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.

Published

2025-05-01T20:15:39.310

Last Modified

2025-05-27T14:17:34.780

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

Weaknesses

Type: Secondary
CWE-312

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	tenda	rx2_pro_firmware	16.03.30.14	Yes
Hardware	tenda	rx2_pro	-	No

References

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46633-transmission-of-plaintext-symmetric-key-in-httpd Exploit, Third Party Advisory ([email protected])
https://www.tendacn.com/us/default.html Product ([email protected])