CVE-2025-46633

HIGH

Tenda RX2 Pro 16.03.30.14 - Info Disclosure

Title source: llm

Description

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.

References (2)

[Exploit, Third Party Advisory] https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46633-transmission-of-plaintext-symmetric-key-in-httpd

[Product] https://www.tendacn.com/us/default.html

Scores

CVSS v3 8.2

EPSS 0.0016

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-312

Status published

Products (1)

tenda/rx2_pro_firmware 16.03.30.14

Published May 01, 2025

Tracked Since Feb 18, 2026