CVE-2025-46625

Name of the Vulnerable Software and Affected Versions Tenda RX2 Pro version 16.03.30.14

Description The issue is related to a lack of input validation/sanitization in the setLanCfg API endpoint in httpd, allowing a remote attacker authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is a persistent issue because the command injection is saved in the device's configuration.

Recommendations For Tenda RX2 Pro version 16.03.30.14, as a temporary workaround, consider disabling the setLanCfg API endpoint until a patch is available. Restrict access to the web management portal to minimize the risk of exploitation. Avoid using the setLanCfg endpoint in the affected API until the issue is resolved.