CVE-2025-46625

HIGH

Tenda RX2 Pro 16.03.30.14 - Command Injection

Title source: llm

Description

Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is persistent because the command injection is saved in the configuration of the device.

References (2)

Core 2

Core References

Third Party Advisory

https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46625-command-injection-through-setlancfg-in-httpd

Product

https://www.tendacn.com/us/default.html

Scores

CVSS v3 8.8

EPSS 0.0175

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

tenda/rx2_pro_firmware 16.03.30.14

Published May 01, 2025

Tracked Since Feb 18, 2026