CVE-2025-46625: n/a in n/a
Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is persistent because the command injection is saved in the configuration of the device.
AI Analysis
Technical Summary
CVE-2025-46625 is a high-severity vulnerability affecting the Tenda RX2 Pro router firmware version 16.03.30.14. The flaw exists in the 'setLanCfg' API endpoint of the device's HTTP daemon (httpd), where insufficient input validation and sanitization allow an authenticated remote attacker to perform command injection. Specifically, an attacker with authorized access to the router's web management portal can craft malicious web requests that inject arbitrary commands. These commands execute with root privileges, granting the attacker full control over the device. The injected commands persist because they are saved within the device's configuration, enabling long-term compromise even after reboots. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the root cause is failure to properly sanitize input before passing it to system commands. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring privileges but no user interaction. No public exploits are currently known in the wild, and no patches have been published yet. This vulnerability allows attackers to bypass normal security controls and gain persistent root shell access, which can be leveraged for further lateral movement, data exfiltration, or disruption of network services.
Potential Impact
For European organizations using Tenda RX2 Pro routers, this vulnerability poses a significant risk. Compromise of these routers can lead to unauthorized access to internal networks, interception or manipulation of network traffic, and potential pivoting to other critical infrastructure. The persistent nature of the injected commands means that even after device reboots or resets, attackers may maintain control, complicating incident response. Confidentiality is at risk as attackers can capture sensitive data traversing the router. Integrity is compromised since attackers can alter configurations or inject malicious payloads. Availability can also be impacted if attackers disrupt routing or network services. Given the router's role at the network edge, exploitation could facilitate broader attacks on corporate or governmental networks. The requirement for authenticated access limits exposure to insiders or attackers who have obtained credentials, but credential theft or phishing could enable exploitation. The lack of a patch increases the window of vulnerability, emphasizing the need for immediate mitigations. Organizations relying on these devices for critical connectivity or remote access should consider this a high-priority threat.
Mitigation Recommendations
1. Immediately restrict access to the router's web management interface to trusted networks and users only, ideally limiting it to internal management VLANs or VPN connections. 2. Enforce strong authentication mechanisms, including complex passwords and multi-factor authentication if supported, to reduce risk of credential compromise. 3. Monitor router logs and network traffic for unusual or unauthorized configuration changes or command executions indicative of exploitation attempts. 4. If possible, disable the 'setLanCfg' API endpoint or any remote management features until a vendor patch is available. 5. Regularly back up router configurations and verify their integrity to enable recovery from persistent malicious changes. 6. Segment networks to limit the impact of a compromised router, preventing lateral movement to sensitive systems. 7. Engage with Tenda support or vendor channels to obtain updates or patches as soon as they are released. 8. Consider replacing affected devices with models that have verified security postures if patching is delayed. 9. Conduct security awareness training to prevent credential theft that could facilitate exploitation. 10. Implement network intrusion detection systems capable of identifying command injection patterns or anomalous API requests targeting router management interfaces.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2025-46625: n/a in n/a
Description
Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is persistent because the command injection is saved in the configuration of the device.
AI-Powered Analysis
Technical Analysis
CVE-2025-46625 is a high-severity vulnerability affecting the Tenda RX2 Pro router firmware version 16.03.30.14. The flaw exists in the 'setLanCfg' API endpoint of the device's HTTP daemon (httpd), where insufficient input validation and sanitization allow an authenticated remote attacker to perform command injection. Specifically, an attacker with authorized access to the router's web management portal can craft malicious web requests that inject arbitrary commands. These commands execute with root privileges, granting the attacker full control over the device. The injected commands persist because they are saved within the device's configuration, enabling long-term compromise even after reboots. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the root cause is failure to properly sanitize input before passing it to system commands. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring privileges but no user interaction. No public exploits are currently known in the wild, and no patches have been published yet. This vulnerability allows attackers to bypass normal security controls and gain persistent root shell access, which can be leveraged for further lateral movement, data exfiltration, or disruption of network services.
Potential Impact
For European organizations using Tenda RX2 Pro routers, this vulnerability poses a significant risk. Compromise of these routers can lead to unauthorized access to internal networks, interception or manipulation of network traffic, and potential pivoting to other critical infrastructure. The persistent nature of the injected commands means that even after device reboots or resets, attackers may maintain control, complicating incident response. Confidentiality is at risk as attackers can capture sensitive data traversing the router. Integrity is compromised since attackers can alter configurations or inject malicious payloads. Availability can also be impacted if attackers disrupt routing or network services. Given the router's role at the network edge, exploitation could facilitate broader attacks on corporate or governmental networks. The requirement for authenticated access limits exposure to insiders or attackers who have obtained credentials, but credential theft or phishing could enable exploitation. The lack of a patch increases the window of vulnerability, emphasizing the need for immediate mitigations. Organizations relying on these devices for critical connectivity or remote access should consider this a high-priority threat.
Mitigation Recommendations
1. Immediately restrict access to the router's web management interface to trusted networks and users only, ideally limiting it to internal management VLANs or VPN connections. 2. Enforce strong authentication mechanisms, including complex passwords and multi-factor authentication if supported, to reduce risk of credential compromise. 3. Monitor router logs and network traffic for unusual or unauthorized configuration changes or command executions indicative of exploitation attempts. 4. If possible, disable the 'setLanCfg' API endpoint or any remote management features until a vendor patch is available. 5. Regularly back up router configurations and verify their integrity to enable recovery from persistent malicious changes. 6. Segment networks to limit the impact of a compromised router, preventing lateral movement to sensitive systems. 7. Engage with Tenda support or vendor channels to obtain updates or patches as soon as they are released. 8. Consider replacing affected devices with models that have verified security postures if patching is delayed. 9. Conduct security awareness training to prevent credential theft that could facilitate exploitation. 10. Implement network intrusion detection systems capable of identifying command injection patterns or anomalous API requests targeting router management interfaces.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-26T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbec166
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 7/3/2025, 7:28:39 AM
Last updated: 8/15/2025, 9:40:05 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.