268 words
1 minutes
Account takeover in TDSEE app
2025-06-06
researches
CVE
/
research

Vulnerability details#

CVSS 3.0

9.1 (Critical). CVSS string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

TDSEE is a mobile application for managing Tenda smart cameras. At the time of writing the review (06.06.2025), the application has been downloaded more than 500,000 times.

In the TDSEE app, I found there was no rate limit in the confirmation code requests in the password reset functionality, resulting in account takeover.

Knowing the victim’s email, the attacker could change the account password by going through the 6-digit password reset confirmation code.

Impact#

An attacker knowing a victim’s email can trigger password reset, bruteforce the verification code, and fully compromise the account (with videos from connected cameras).

PoC#

IMPORTANT

The vendor has been notified of the vulnerability. The vulnerability has already been fixed.

Patch#

In the application version 1.7.15, the vendor released a patch, setting a limit on the number of requests per second.

Author#

@k3vg3n

k3vg3n
/
researches
Waiting for api.github.com...
00K
0K
0K
Waiting...
Account takeover in TDSEE app
https://blog.kevgen.ru/posts/account_takeover_in_tdsee_app/
Author
Kevgen
Published at
2025-06-06
License
CC BY-NC-SA 4.0
RCE in Tenda CP3 camera
© 2025 Kevgen. All Rights Reserved. / Arts by makoyana