Security researchers have uncovered a series of critical vulnerabilities in the Tenda RX2 Pro Dual-Band Gigabit Wi-Fi 6 Router (Firmware V16.03.30.14), which could allow remote attackers to gain administrative access and, in many cases, full root shell on the device.
Despite the notification, Tenda has not responded, and no patches are available.
Eleven separate CVEs have been assigned to vulnerabilities discovered in Tenda’s web management portal, firmware, and internal services.
.png
)
Attackers can exploit combinations of these bugs to escalate privileges, bypass network segmentation, and ultimately execute arbitrary code with root privileges.
The vulnerabilities are particularly troubling because they can be exploited by anyone who connects to the device-even from the guest Wi-Fi network, which is supposed to be isolated.
How the Attacks Work
The Tenda RX2 Pro’s web management interface contains numerous flaws in how it transmits and encrypts credentials and session keys.
Additionally, improper network segmentation means attackers on a guest Wi-Fi network can target the main router functions or other clients.
Most disturbingly, attackers can enable backdoor services like telnet and an undocumented service called “ate,” both of which have their severe flaws, including command injection vulnerabilities and static credentials.
Summary of Key Vulnerabilities
| CVE | Summary | Impact |
| CVE-2025-46634 | Transmission of plaintext credentials in httpd | Allows credential theft and replay from observed traffic |
| CVE-2025-46632 | Static IV use in web encryption | Makes encrypted sessions easier to decrypt |
| CVE-2025-46633 | Transmission of AES encryption key in plaintext | Enables interception & decryption of management traffic |
| CVE-2025-46635 | Improper network isolation between guest/primary networks | Guest users can attack the router and main network |
| CVE-2025-46631 | Unauthenticated enabling of telnet via web API | Remote root shell via backdoor, no authentication needed |
| CVE-2025-46627 | OS root password generated from device MAC address | Allows attacker to calculate and use the root password |
| CVE-2025-46630 | Unauthenticated enabling of “ate” service via web API | Activates a vulnerable, undocumented management service |
| CVE-2025-46629 | “ate” service lacks authentication | Anyone can send commands to the service |
| CVE-2025-46626 | “ate” service uses static key/IV for encryption | Allows traffic replay, decryption, and forging commands |
| CVE-2025-46628 | Command injection in “ate” via ifconfig command | Unauthenticated root command execution |
| CVE-2025-46625 | Command injection in setLanCfg httpd API | Authenticated users can get persistent root shell |
Exploit Scenarios
- Guest Network Bypass: Attackers on the guest Wi-Fi can become “layer-2 adjacent” to the main network and bypass basic subnet restrictions. This provides a launchpad for further attacks.
- Backdoor Services: Unauthenticated users can turn on a telnet or “ate” service, both backdoors that grant shell access or allow command injection with no password required.
- Weak Encryption: Even where encryption is used, the static IVs and keys, and the transmission of those keys in plaintext, render it ineffective. Attackers can intercept and decrypt admin commands and sessions.
The researcher has reported all findings to Tenda, but as of publication, no updates or fixes have been issued.
Owners of the Tenda RX2 Pro are strongly urged to disconnect their routers from untrusted networks and consider alternative devices until official patches are released.
These vulnerabilities highlight the need for robust, industry-standard security practices in consumer networking gear. Until Tenda responds, users remain at serious risk from attackers both inside and outside their networks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
