Post 40 | Security Advisory: Telnet Enabled by Default in Tenda CP3 Pro Firmware (CVE-2025-52364)

Posted Jul 9, 2025

By Shaunak Ganorkar

2 min read

Author: Shaunak Ganorkar, Traboda Cyberlabs Pvt. Ltd.
Published: July 2025
CVE ID: CVE-2025-52364
Vendor: Tenda Technology Co., Ltd.
Product: Tenda CP3 Pro IP Camera
Firmware Affected: V22.5.4.93
Firmware SHA-256: 5120fa8f772a5a3f68a7fff83b33e54ac2035436353b64f9e7f0ec4f1695d01d
Impact: Remote Shell Access
Severity: High
Status: Public

Summary

Tenda CP3 Pro Firmware V22.5.4.93 enables the Telnet daemon (telnetd) by default during device boot. The initialization script /etc/init.d/eth.sh explicitly starts the Telnet service without user interaction or configuration, exposing an unencrypted remote shell on port 23.

This significantly increases risk, especially when combined with weak or hardcoded credentials.

Vulnerability Details

File: /etc/init.d/eth.sh
Command: telnetd &
Line Number: 42
Service: Telnet (TCP Port 23)
Access Control: None enforced in script
Discovered via: Static analysis of boot scripts
CWE IDs:
- CWE-284: Improper Access Control
- CWE-319: Cleartext Transmission of Sensitive Information

Proof of Concept

  
$ grep -rnw . -e telnetd
./eth.sh:42:telnetd &

$ tail -n 10 eth.sh
ifconfig eth0 hw ether $ethaddr
ifconfig eth0 up
ifconfig eth0 $ipaddr netmask 255.255.252.0

#ip -6 addr add fe80::211:1187:35d5:b411/64 dev eth0

route add default gw 10.35.39.254
mount -t nfs -o nolock 10.35.36.1:/nfspool/romfs/home /mnt/nfs
telnetd &

Attack Vector

Any attacker with access to the same network as the device can attempt to connect via Telnet on port 23. If default credentials are present or cracked (e.g., from CVE-2025-52363), this results in full root shell access.

Impact

Remote shell access without encryption
Potential unauthorized login with weak/default credentials
Network-wide compromise if the camera is exposed externally

Severity Justification

CVSS v3.1 Base Score: 8.6 (High)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0 Base Score: 8.9 (High) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

The Telnet service is enabled by default at boot time, exposing a root shell over the network. No user interaction or privileges are required, and no encryption is in place. Combined with weak/default credentials, this leads to a high risk of device takeover.

Recommendations

Disable Telnet on the device immediately
Switch to secure alternatives like SSH or HTTPS-based admin interfaces
Tenda should avoid enabling insecure services by default in production firmware

Discoverer

Shaunak Ganorkar
Traboda Cyberlabs Pvt. Ltd.

🔗 https://www.cybermaya.in
🔗 https://www.linkedin.com/in/shaunakganorkar

Disclaimer

This research was conducted for educational and responsible disclosure purposes only. No unauthorized access was made to any live device.

Research

This post is licensed under CC BY-NC-ND 4.0 license by the author.