CVE-2025-46634

Name of the Vulnerable Software and Affected Versions Tenda RX2 Pro version 16.03.30.14

Description The web management portal of the Tenda RX2 Pro transmits sensitive information, including the hash of the user's password, in cleartext. This could allow an unauthenticated attacker to collect credentials from observed or collected traffic and use them to authenticate to the portal. Although the system implements encryption, it does so only after the user's password hash has been transmitted in cleartext, making the hash vulnerable to replay attacks for authentication purposes.

Recommendations For version 16.03.30.14, consider implementing full encryption for all communication, including the initial transmission of the password hash, to prevent eavesdropping and replay attacks. As a temporary workaround, restrict access to the web management portal to minimize the risk of exploitation.