CVE-2025-46635 is a high-severity vulnerability affecting Tenda RX2 Pro routers running firmware version 16.03.30.14. The core issue is improper network isolation between the guest Wi-Fi network and other internal network interfaces on the router. Normally, guest Wi-Fi networks are segmented to restrict access to internal resources and other connected devices, providing a security boundary. However, due to this vulnerability, an attacker who is authenticated to the guest Wi-Fi can bypass this isolation by manually configuring a static IP address within the subnet of the non-guest network. This misconfiguration allows the attacker to access router resources and other devices on the internal network that should be segregated from guest users. The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the router fails to enforce proper access restrictions between network segments. The CVSS v3.1 base score is 7.1 (high), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is high on confidentiality, as unauthorized access to internal network resources is possible, with limited impact on integrity and no impact on availability. No known exploits are reported in the wild yet, and no patches have been linked or published at the time of disclosure. This vulnerability could be exploited by any authenticated guest Wi-Fi user capable of configuring their device's IP settings, which is a relatively low barrier for attackers with physical or temporary network access.

For European organizations, this vulnerability poses a significant risk especially in environments where Tenda RX2 Pro routers are deployed and guest Wi-Fi networks are provided to visitors, contractors, or customers. Unauthorized access from the guest network to internal resources can lead to data leakage, unauthorized monitoring, or lateral movement within the network. Confidential information stored on internal devices or accessible services could be exposed. This risk is heightened in sectors with strict data protection requirements such as finance, healthcare, and critical infrastructure. Additionally, the ability to access router management interfaces could allow attackers to alter configurations, potentially leading to further compromise or persistent access. The vulnerability undermines network segmentation strategies that are critical for compliance with European data protection regulations like GDPR, which mandate appropriate technical measures to protect personal data. Organizations relying on Tenda RX2 Pro routers without proper compensating controls may face regulatory penalties and reputational damage if exploited.

Immediate mitigation should focus on restricting guest Wi-Fi users from configuring static IP addresses within the internal network's subnet. Network administrators should implement DHCP snooping and IP source guard features if supported by the router or network infrastructure to prevent IP spoofing and unauthorized static IP assignment. Segmentation should be enforced at the router or switch level using VLANs with strict access control lists (ACLs) to isolate guest traffic effectively. Monitoring and logging of guest network activity should be enhanced to detect anomalous IP configurations or unauthorized access attempts. Where possible, upgrade or replace affected Tenda RX2 Pro devices with firmware versions that address this vulnerability once available. If no patch is available, consider disabling guest Wi-Fi or restricting guest access to internet-only connectivity via firewall rules. Educate users and network administrators about the risks of static IP configuration on guest networks. Finally, conduct regular network audits to verify that guest network isolation is functioning as intended.