Vulnerability Details CVE-2025-46625
Lack of input validation/sanitization in the 'setLanCfg' API endpoint in httpd in the Tenda RX2 Pro 16.03.30.14 allows a remote attacker that is authorized to the web management portal to gain root shell access to the device by sending a crafted web request. This is persistent because the command injection is saved in the configuration of the device.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.2%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2025-46625
-
cpe:2.3:h:tenda:rx2_pro:-
-
cpe:2.3:o:tenda:rx2_pro_firmware:16.03.30.14