CVE-2025-46634 is a high-severity vulnerability affecting the web management portal of the Tenda RX2 Pro router firmware version 16.03.30.14. The core issue is the cleartext transmission of sensitive authentication information before encryption is applied. Specifically, while the portal implements encryption for communications, it does so only after the user has transmitted a hash of their password in cleartext. This design flaw allows an unauthenticated attacker who can observe network traffic to capture the password hash. Because the hash itself is used for authentication, the attacker can replay this hash to gain unauthorized access to the web management portal without needing to know the actual password. This vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information) and has a CVSS v3.1 score of 8.2, reflecting its high impact and ease of exploitation. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality significantly (C:H), with limited impact on integrity (I:L) and no impact on availability (A:N). No patches or known exploits in the wild have been reported as of the publication date. The vulnerability arises from improper handling of authentication credentials and insufficient protection of sensitive data in transit, making it a critical risk for devices exposed to untrusted networks or attackers capable of network traffic interception.

For European organizations, this vulnerability poses a significant risk, especially for those deploying Tenda RX2 Pro routers in their network infrastructure. Successful exploitation could allow attackers to gain administrative access to the router's management interface, enabling them to alter network configurations, intercept or redirect traffic, or establish persistent footholds within the network. This could lead to data breaches, loss of confidentiality, and potential lateral movement within corporate networks. Given that the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, organizations with routers accessible from untrusted networks or insufficiently segmented internal networks are particularly vulnerable. The impact is heightened in sectors with stringent data protection requirements under GDPR, as unauthorized access could lead to exposure of personal data and regulatory penalties. Additionally, compromised routers could be leveraged in broader cyberattacks, including supply chain compromises or as part of botnets targeting European infrastructure.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately isolate affected Tenda RX2 Pro devices from untrusted networks, especially the internet, until a secure firmware update is available. 2) Monitor network traffic for unusual authentication attempts or replay attacks targeting router management interfaces. 3) Employ network segmentation to restrict access to router management portals to trusted administrative networks only, using VLANs or firewall rules. 4) Use out-of-band management solutions or VPNs to access router management interfaces securely, preventing exposure of credentials over unencrypted channels. 5) Regularly audit router firmware versions and configurations to identify and remediate vulnerable devices. 6) Engage with Tenda or authorized vendors to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 7) Implement network intrusion detection systems (NIDS) capable of detecting replay attacks or anomalous authentication patterns. 8) Educate network administrators about the risks of cleartext credential transmission and enforce strong password policies to reduce the impact of credential compromise.