CVE-2025-46625 is a high-severity vulnerability affecting the Tenda RX2 Pro router firmware version 16.03.30.14. The flaw exists in the 'setLanCfg' API endpoint of the device's HTTP daemon (httpd), where insufficient input validation and sanitization allow an authenticated remote attacker to perform command injection. Specifically, an attacker with authorized access to the router's web management portal can craft malicious web requests that inject arbitrary commands. These commands execute with root privileges, granting the attacker full control over the device. The injected commands persist because they are saved within the device's configuration, enabling long-term compromise even after reboots. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the root cause is failure to properly sanitize input before passing it to system commands. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring privileges but no user interaction. No public exploits are currently known in the wild, and no patches have been published yet. This vulnerability allows attackers to bypass normal security controls and gain persistent root shell access, which can be leveraged for further lateral movement, data exfiltration, or disruption of network services.

For European organizations using Tenda RX2 Pro routers, this vulnerability poses a significant risk. Compromise of these routers can lead to unauthorized access to internal networks, interception or manipulation of network traffic, and potential pivoting to other critical infrastructure. The persistent nature of the injected commands means that even after device reboots or resets, attackers may maintain control, complicating incident response. Confidentiality is at risk as attackers can capture sensitive data traversing the router. Integrity is compromised since attackers can alter configurations or inject malicious payloads. Availability can also be impacted if attackers disrupt routing or network services. Given the router's role at the network edge, exploitation could facilitate broader attacks on corporate or governmental networks. The requirement for authenticated access limits exposure to insiders or attackers who have obtained credentials, but credential theft or phishing could enable exploitation. The lack of a patch increases the window of vulnerability, emphasizing the need for immediate mitigations. Organizations relying on these devices for critical connectivity or remote access should consider this a high-priority threat.

1. Immediately restrict access to the router's web management interface to trusted networks and users only, ideally limiting it to internal management VLANs or VPN connections. 2. Enforce strong authentication mechanisms, including complex passwords and multi-factor authentication if supported, to reduce risk of credential compromise. 3. Monitor router logs and network traffic for unusual or unauthorized configuration changes or command executions indicative of exploitation attempts. 4. If possible, disable the 'setLanCfg' API endpoint or any remote management features until a vendor patch is available. 5. Regularly back up router configurations and verify their integrity to enable recovery from persistent malicious changes. 6. Segment networks to limit the impact of a compromised router, preventing lateral movement to sensitive systems. 7. Engage with Tenda support or vendor channels to obtain updates or patches as soon as they are released. 8. Consider replacing affected devices with models that have verified security postures if patching is delayed. 9. Conduct security awareness training to prevent credential theft that could facilitate exploitation. 10. Implement network intrusion detection systems capable of identifying command injection patterns or anomalous API requests targeting router management interfaces.