CVE-2025-46635: n/a in n/a
An issue was discovered on Tenda RX2 Pro 16.03.30.14 devices. Improper network isolation between the guest Wi-Fi network and other network interfaces on the router allows an attacker (who is authenticated to the guest Wi-Fi) to access resources on the router and/or resources and devices on other networks hosted by the router by configuring a static IP address (within the non-guest subnet) on their host.
AI Analysis
Technical Summary
CVE-2025-46635 is a high-severity vulnerability affecting Tenda RX2 Pro routers running firmware version 16.03.30.14. The core issue is improper network isolation between the guest Wi-Fi network and other internal network interfaces on the router. Normally, guest Wi-Fi networks are segmented to restrict access to internal resources and other connected devices, providing a security boundary. However, due to this vulnerability, an attacker who is authenticated to the guest Wi-Fi can bypass this isolation by manually configuring a static IP address within the subnet of the non-guest network. This misconfiguration allows the attacker to access router resources and other devices on the internal network that should be segregated from guest users. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the router fails to enforce proper access restrictions between network segments. The CVSS v3.1 base score is 7.1 (high), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is high on confidentiality, as unauthorized access to internal network resources is possible, with limited impact on integrity and no impact on availability. No known exploits are reported in the wild yet, and no patches have been linked or published at the time of disclosure. This vulnerability could be exploited by any authenticated guest Wi-Fi user capable of configuring their device's IP settings, which is a relatively low barrier for attackers with physical or temporary network access.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially in environments where Tenda RX2 Pro routers are deployed and guest Wi-Fi networks are provided to visitors, contractors, or customers. Unauthorized access from the guest network to internal resources can lead to data leakage, unauthorized monitoring, or lateral movement within the network. Confidential information stored on internal devices or accessible services could be exposed. This risk is heightened in sectors with strict data protection requirements such as finance, healthcare, and critical infrastructure. Additionally, the ability to access router management interfaces could allow attackers to alter configurations, potentially leading to further compromise or persistent access. The vulnerability undermines network segmentation strategies that are critical for compliance with European data protection regulations like GDPR, which mandate appropriate technical measures to protect personal data. Organizations relying on Tenda RX2 Pro routers without proper compensating controls may face regulatory penalties and reputational damage if exploited.
Mitigation Recommendations
Immediate mitigation should focus on restricting guest Wi-Fi users from configuring static IP addresses within the internal network's subnet. Network administrators should implement DHCP snooping and IP source guard features if supported by the router or network infrastructure to prevent IP spoofing and unauthorized static IP assignment. Segmentation should be enforced at the router or switch level using VLANs with strict access control lists (ACLs) to isolate guest traffic effectively. Monitoring and logging of guest network activity should be enhanced to detect anomalous IP configurations or unauthorized access attempts. Where possible, upgrade or replace affected Tenda RX2 Pro devices with firmware versions that address this vulnerability once available. If no patch is available, consider disabling guest Wi-Fi or restricting guest access to internet-only connectivity via firewall rules. Educate users and network administrators about the risks of static IP configuration on guest networks. Finally, conduct regular network audits to verify that guest network isolation is functioning as intended.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2025-46635: n/a in n/a
Description
An issue was discovered on Tenda RX2 Pro 16.03.30.14 devices. Improper network isolation between the guest Wi-Fi network and other network interfaces on the router allows an attacker (who is authenticated to the guest Wi-Fi) to access resources on the router and/or resources and devices on other networks hosted by the router by configuring a static IP address (within the non-guest subnet) on their host.
AI-Powered Analysis
Technical Analysis
CVE-2025-46635 is a high-severity vulnerability affecting Tenda RX2 Pro routers running firmware version 16.03.30.14. The core issue is improper network isolation between the guest Wi-Fi network and other internal network interfaces on the router. Normally, guest Wi-Fi networks are segmented to restrict access to internal resources and other connected devices, providing a security boundary. However, due to this vulnerability, an attacker who is authenticated to the guest Wi-Fi can bypass this isolation by manually configuring a static IP address within the subnet of the non-guest network. This misconfiguration allows the attacker to access router resources and other devices on the internal network that should be segregated from guest users. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the router fails to enforce proper access restrictions between network segments. The CVSS v3.1 base score is 7.1 (high), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is high on confidentiality, as unauthorized access to internal network resources is possible, with limited impact on integrity and no impact on availability. No known exploits are reported in the wild yet, and no patches have been linked or published at the time of disclosure. This vulnerability could be exploited by any authenticated guest Wi-Fi user capable of configuring their device's IP settings, which is a relatively low barrier for attackers with physical or temporary network access.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially in environments where Tenda RX2 Pro routers are deployed and guest Wi-Fi networks are provided to visitors, contractors, or customers. Unauthorized access from the guest network to internal resources can lead to data leakage, unauthorized monitoring, or lateral movement within the network. Confidential information stored on internal devices or accessible services could be exposed. This risk is heightened in sectors with strict data protection requirements such as finance, healthcare, and critical infrastructure. Additionally, the ability to access router management interfaces could allow attackers to alter configurations, potentially leading to further compromise or persistent access. The vulnerability undermines network segmentation strategies that are critical for compliance with European data protection regulations like GDPR, which mandate appropriate technical measures to protect personal data. Organizations relying on Tenda RX2 Pro routers without proper compensating controls may face regulatory penalties and reputational damage if exploited.
Mitigation Recommendations
Immediate mitigation should focus on restricting guest Wi-Fi users from configuring static IP addresses within the internal network's subnet. Network administrators should implement DHCP snooping and IP source guard features if supported by the router or network infrastructure to prevent IP spoofing and unauthorized static IP assignment. Segmentation should be enforced at the router or switch level using VLANs with strict access control lists (ACLs) to isolate guest traffic effectively. Monitoring and logging of guest network activity should be enhanced to detect anomalous IP configurations or unauthorized access attempts. Where possible, upgrade or replace affected Tenda RX2 Pro devices with firmware versions that address this vulnerability once available. If no patch is available, consider disabling guest Wi-Fi or restricting guest access to internet-only connectivity via firewall rules. Educate users and network administrators about the risks of static IP configuration on guest networks. Finally, conduct regular network audits to verify that guest network isolation is functioning as intended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-26T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbec0dc
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 7/3/2025, 7:28:23 AM
Last updated: 8/16/2025, 2:55:25 AM
Views: 16
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.