Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.
History

Tue, 27 May 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda rx2 Pro
Tenda rx2 Pro Firmware
CPEs cpe:2.3:h:tenda:rx2_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:rx2_pro_firmware:16.03.30.14:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda rx2 Pro
Tenda rx2 Pro Firmware

Fri, 02 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 01 May 2025 19:30:00 +0000

Type Values Removed Values Added
Description Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-05-01T00:00:00.000Z

Updated: 2025-05-02T14:59:18.138Z

Reserved: 2025-04-26T00:00:00.000Z

Link: CVE-2025-46633

cve-icon Vulnrichment

Updated: 2025-05-02T14:59:12.220Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T20:15:39.310

Modified: 2025-05-27T14:17:34.780

Link: CVE-2025-46633

cve-icon Redhat

No data.