CVE-2025-46634Cleartext Storage of Sensitive Info in RX2 PRO Firmware

CWE-312Cleartext Storage of Sensitive Info3 documents3 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 68.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tenda RX2 PRO Firmware
Timeline
PublishedMay 1
Latest updateMay 2

Description

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages1 packages

NVDtenda/rx2_pro_firmware16.03.30.14

🔴Vulnerability Details

2
GHSA
GHSA-pm2w-vj7f-h667: Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 162025-05-02
CVEList
CVE-2025-46634: Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 162025-05-01
CVE-2025-46634 — Cleartext Storage of Sensitive Info | cvebase