CVE-2025-46633

Name of the Vulnerable Software and Affected Versions Tenda RX2 Pro version 16.03.30.14

Description The issue concerns the cleartext transmission of sensitive information in the web management portal, allowing an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key is sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.

Recommendations For Tenda RX2 Pro version 16.03.30.14, consider disabling the web management portal until a patch is available to prevent cleartext transmission of sensitive information. Restrict access to the portal to minimize the risk of exploitation. Avoid using the portal for sensitive operations until the issue is resolved.