Cyber Resilience

CVE-2025-46625

HighRCE

Published: 01 May 2025

Published
01 May 2025
Modified
27 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0146 81.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46625 is a high-severity Command Injection (CWE-77) vulnerability in Tenda Rx2 Pro Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-46625 is a command-injection vulnerability (CWE-77) caused by missing input validation and sanitization in the setLanCfg API endpoint of the httpd service on the Tenda RX2 Pro running firmware version 16.03.30.14. The flaw resides in the device's web-management interface and permits an authenticated user to inject operating-system commands that are stored persistently in the router configuration.

An attacker who already possesses valid credentials to the web portal can send a single crafted HTTP request to the setLanCfg endpoint. Successful exploitation grants the attacker an interactive root shell on the device; because the injected commands survive reboots and configuration reloads, access persists across power cycles without further interaction.

The two available references consist of a detailed technical write-up and the vendor's general support page; neither reference describes an official patch, firmware update, or specific mitigation steps. The associated EPSS score remains flat at 0.0178 with no material increase after disclosure.

EU & UK References

Vulnerability details

Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a…

more

crafted web request. This is persistent because the command injection is saved in the configuration of the device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tenda
rx2 pro firmware
16.03.30.14

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References