Security researchers have uncovered eleven severe vulnerabilities in the Tenda RX2 Pro Dual-Band Gigabit Wi-Fi 6 Router (firmware V16.03.30.14), exposing millions of users to potential remote attacks, including full device takeover.
Despite responsible disclosure, Tenda has not responded, leaving all known devices unpatched and at risk.
Reverse Engineering Challenges and Firmware Analysis
According to the report, Researchers initially sought to improve QEMU emulation using Tenda firmware, discovering that recent Tenda devices utilize encrypted firmware blobs.
However, the RX2 Pro’s onboard flash was unencrypted, allowing the extraction and unpacking of the root partition.
The firmware used a modified SquashFS filesystem, with altered magic bytes and CRC polynomials, complicating analysis but ultimately yielding to custom tooling.
Web Management Portal: Encryption Flaws and Credential Exposure
The RX2 Pro’s web management portal attempts to secure traffic using custom encryption rather than GoAhead’s standard TLS/SSL.
This approach introduced several critical vulnerabilities:
- CVE-2025-46634: Transmission of Plaintext Credentials
User credentials are transmitted in plaintext over HTTP during authentication, even when remote management is enabled. - Though the password is hashed (using MD5), the hash can be replayed for unauthorized access. text
POST /login HTTP/1.1 Host: 192.168.0.1 Content-Type: application/x-www-form-urlencoded username=admin&password=21232f297a57a5a743894a0e4a801fc3 - CVE-2025-46632: Static IV Use in AES-128-CBC Encryption
After authentication, traffic is encrypted with AES-128-CBC, but a static IV ("EU5H62G9ICGRNI43") is reused for every session, undermining cryptographic security. cEVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); // iv is always static - CVE-2025-46633: Plaintext Transmission of Symmetric Key
The AES key used for session encryption is sent in plaintext to the client post-authentication, allowing any eavesdropper to decrypt subsequent traffic.
Guest Network Isolation and Lateral Movement
- CVE-2025-46635: Improper Network Isolation
The router separates guest and primary networks only by subnetting, not by true layer-2 isolation. - Attackers on the guest network can scan and access devices on the primary network by spoofing their IP address, easily bypassing weak access controls.
Multiple Paths to Root Shell: Telnet, ATE Service, and Command Injection
- CVE-2025-46631: Unauthenticated Telnet Enablement
An unauthenticated attacker can enable Telnet by accessing the/goform/telnetendpoint, which is whitelisted and does not require authentication. bashcurl -X POST http://192.168.0.1/goform/telnet - CVE-2025-46627: Predictable Root Password
The root password is generated at boot from the last two octets of the device’s MAC address, making it trivial to compute. - CVE-2025-46630, 46629, 46626, 46628: ATE Management Binary Vulnerabilities
The undocumentedateservice can be enabled without authentication via/goform/ate, listens on UDP port 7329, and uses a static key ("Tenda0123456789M") and IV (all zeros) for weak encryption. It accepts unauthenticated commands, including those that allow arbitrary command injection via theifconfighandler. python# Example: Sending a crafted UDP packet to 7329/udp for command injection sock.sendto(encrypt("ifconfig; /bin/sh"), ("192.168.0.1", 7329)) - CVE-2025-46625: Persistent Command Injection via setLanCfg
Attackers authenticated to the web portal can inject commands through thesetLanCfgAPI, leading to persistent root access.
No Patch, High Risk
With no official patch or remediation from Tenda, all users of the RX2 Pro router are advised to disconnect the device from untrusted networks and monitor for unusual activity.
The combination of plaintext credentials, static cryptographic keys, weak network segmentation, and multiple unauthenticated root paths makes this one of the most severe consumer router exposures in recent years.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Despite responsible disclosure, Tenda has not responded, leaving all known devices unpatched and at risk.){kind=link}