Critical command injection vulnerabilities in TP-Link Omada Gateways enable remote code execution

TP-Link has disclosed multiple critical security vulnerabilities affecting its Omada gateway product line, including a severe command injection flaw that allows unauthenticated remote attackers to execute arbitrary operating system commands. The most critical vulnerability, tracked as CVE-2025-6542 (CVSS v4 score 9.3), poses significant risks to small and medium businesses relying on Omada gateways for network security, routing, firewall, and VPN capabilities. The flaws could enable attackers to achieve complete device compromise, steal sensitive data, establish persistence mechanisms, and move laterally through corporate networks.

Omada gateways are marketed as comprehensive full-stack network solutions combining router, firewall, and VPN gateway functionality for small to medium-sized businesses. The devices have been gaining increasing popularity as cost-effective enterprise networking solutions. The discovery of these vulnerabilities represents a significant security concern for organizations that have deployed Omada gateways as critical network infrastructure components, particularly those exposed to the internet or accessible from untrusted network segments.

Although the disclosed vulnerabilities lead to similar outcomes when successfully exploited, they differ significantly in their exploitation requirements and accessibility to attackers. CVE-2025-6542 stands out as the most severe due to its ability to be exploited remotely without any authentication, while CVE-2025-6541 requires the attacker to first obtain access to the web management interface through valid credentials.

Vulnerabilities summary:

• CVE-2025-6542 (CVSS score 9.3): OS command injection vulnerability that allows remote unauthenticated attackers to execute arbitrary commands on the device's underlying operating system.
• CVE-2025-6541 (CVSS score 8.6): OS command injection vulnerability that can be exploited by authenticated users who can log into the web management interface. Once authenticated, attackers can execute arbitrary commands on the underlying operating system with elevated privileges.

In a separate security bulletin, TP-Link disclosed two additional severe vulnerabilities affecting the same Omada gateway product line:

• CVE-2025-7850 (CVSS score 9.3): A command injection vulnerability that can be exploited by attackers who possess administrative passwords to access the Omada web portal. Once authenticated with admin credentials, attackers can inject and execute arbitrary OS commands.
• CVE-2025-7851 (CVSS score 8.7): A privilege escalation vulnerability that enables attackers to obtain shell access with root privileges on the underlying operating system, though restricted to Omada's privilege context. This vulnerability could allow attackers to perform administrative operations and access sensitive system components.

The vulnerabilities impact 13 different Omada gateway models:

• ER8411: Versions prior to 1.3.3 Build 20251013 Rel.44647
• ER7412-M2: Versions prior to 1.1.0 Build 20251015 Rel.63594
• ER707-M2: Versions prior to 1.3.1 Build 20251009 Rel.67687
• ER7206: Versions prior to 2.2.2 Build 20250724 Rel.11109
• ER605: Versions prior to 2.3.1 Build 20251015 Rel.78291
• ER706W: Versions prior to 1.2.1 Build 20250821 Rel.80909
• ER706W-4G: Versions prior to 1.2.1 Build 20250821 Rel.82492
• ER7212PC: Versions prior to 2.1.3 Build 20251016 Rel.82571
• G36: Versions prior to 1.1.4 Build 20251015 Rel.84206
• G611: Versions prior to 1.2.2 Build 20251017 Rel.45512
• FR365: Versions prior to 1.1.10 Build 20250626 Rel.81746
• FR205: Versions prior to 1.0.3 Build 20251016 Rel.61376
• FR307-M2: Versions prior to 1.2.5 Build 20251015 Rel.76743

TP-Link has released firmware updates for all affected Omada gateway models and strongly recommends that users with impacted devices download and apply the latest firmware versions. Organizations should prioritize patching devices that are internet-facing or accessible from untrusted networks.