CVE-2025-11666 HIGH

CVE-2025-11666: Tenda RP3 Pro Firmware Update force_upgrade.sh hard-coded password

Vendor Tenda
Product RP3 Pro
Weakness CWE-259
Published October 13, 2025
Last update October 14, 2025

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in Tenda RP3 Pro up to 22.5.7.93. This impacts an unknown function of the file force_upgrade.sh of the component Firmware Update Handler. Executing manipulation of the argument current_force_upgrade_pwd can lead to use of hard-coded password. The attack can only be executed locally. The exploit has been published and may be used.

Key dates

02Disclosure timeline

October 13, 2025 CVE published
October 14, 2025 Record updated