CVE-2025-46633

CWE-312Cleartext Storage of Sensitive Info3 documents3 sources
Severity
8.2HIGH
EPSS
0.2%
top 63.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tenda RX2 PRO Firmware
Timeline
PublishedMay 1
Latest updateMay 2

Description

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages1 packages

NVDtenda/rx2_pro_firmware16.03.30.14

🔴Vulnerability Details

2
GHSA
GHSA-pjhx-jp78-8pv5: Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 162025-05-02
CVEList
CVE-2025-46633: Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 162025-05-01
CVE-2025-46633 (HIGH CVSS 8.2) | Cleartext transmission of sensitive | cvebase.io