Post

Post 39 | Security Advisory: Hardcoded Root Password in Tenda CP3 Pro Firmware (CVE-2025-52363)

Posted
By Shaunak Ganorkar
1 min read

Author: Shaunak Ganorkar, Traboda Cyberlabs Pvt. Ltd.
Published: July 2025
CVE ID: CVE-2025-52363
Vendor: Tenda Technology Co., Ltd.
Product: Tenda CP3 Pro IP Camera
Firmware Affected: V22.5.4.93
Firmware SHA-256: 5120fa8f772a5a3f68a7fff83b33e54ac2035436353b64f9e7f0ec4f1695d01d
Impact: Information Disclosure
Severity: Medium
Status: Public

Summary

A vulnerability was discovered in Tenda CP3 Pro Firmware V22.5.4.93, where hardcoded password hashes for the root user are stored in /etc/passwd and /etc/passwd- files within the firmware image. These files are world-readable and not protected by a shadow file, allowing offline attackers to recover the hash and potentially crack it to obtain administrative access.

Vulnerability Details

  • Files Affected: /etc/passwd, /etc/passwd-
  • Root Hash from /etc/passwd: AhpGINvJObG0U
  • Root Hash from /etc/passwd-: ltEkcRyrDrA.o
  • Shadow File: Not present
  • Filesystem Path: jffs2-root/etc/
  • Discovered via: Static analysis of the extracted firmware image
  • CWE ID: CWE-798: Use of Hard-coded Credentials

Proof of Concept

1
2
3
4
5

$ cat jffs2-root/etc/passwd
root:AhpGINvJObG0U:0:0:root:/root:/bin/sh

$ cat jffs2-root/etc/passwd-
root:ltEkcRyrDrA.o:0:0:root:/root:/bin/sh

Attack Vector

An attacker can download the firmware from the official vendor site or extract it from a device, then analyze the filesystem offline to retrieve the password hash. If cracked, the attacker can attempt to log in via exposed services such as Telnet or SSH.

Impact

  • Privilege escalation via cracked root credentials
  • Unauthorized administrative access
  • Potential full device takeover

Severity Justification

CVSS v3.1 Base Score: 6.5 (Medium)
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0 Base Score: 7.0 (Medium)
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

The vulnerability requires access to the firmware image (local vector), but no privileges or user interaction. Once extracted, the attacker gains access to plaintext password hashes, representing a serious confidentiality risk and moderate integrity risk if cracked and reused.

Recommendations

  • Tenda should avoid embedding unsalted password hashes in production firmware
  • Device owners must change default passwords immediately
  • Disable remote services such as Telnet/SSH if not in use

Discoverer

Shaunak Ganorkar
Traboda Cyberlabs Pvt. Ltd.

🔗 https://www.cybermaya.in
🔗 https://www.linkedin.com/in/shaunakganorkar

Disclaimer

This research was conducted for educational and responsible disclosure purposes only. No unauthorized access was made to any live device.

Research
Firmware Analysis CVE Research
This post is licensed under CC BY-NC-ND 4.0 license by the author.