Full Report
TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution. The vulnerabilities in question are listed below - CVE-2025-6541 (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management
Analysis Summary
# Vulnerability: Critical RCE and Command Injection Flaws in TP-Link Omada Gateways
## CVE Details
- CVE ID: CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851
- CVSS Score:
- CVE-2025-6541: 8.6 (High)
- CVE-2025-6542: 9.3 (Critical)
- CVE-2025-7850: 9.3 (Critical)
- CVE-2025-7851: 8.7 (High)
- CWE: Command Injection (for CVE-2025-6541, 6542, 7850); Improper Privilege Management (for CVE-2025-7851)
## Affected Systems
- Products: TP-Link Omada Gateways (ER series, FR series, G series)
- Versions:
- ER8411: `< 1.3.3 Build 20251013 Rel.44647`
- ER7412-M2: `< 1.1.0 Build 20251015 Rel.63594`
- ER707-M2: `< 1.3.1 Build 20251009 Rel.67687`
- ER7206: `< 2.2.2 Build 20250724 Rel.11109`
- ER605: `< 2.3.1 Build 20251015 Rel.78291`
- ER706W: `< 1.2.1 Build 20250821 Rel.80909`
- ER706W-4G: `< 1.2.1 Build 20250821 Rel.82492`
- ER7212PC: `< 2.1.3 Build 20251016 Rel.82571`
- G36: `< 1.1.4 Build 20251015 Rel.84206`
- G611: `< 1.2.2 Build 20251017 Rel.45512`
- FR365: `< 1.1.10 Build 20250626 Rel.81746`
- FR205: `< 1.0.3 Build 20251016 Rel.61376`
- FR307-M2: `< 1.2.5 Build 20251015 Rel.76743`
- Configurations: Specific attack vectors depend on authentication status (see description).
## Vulnerability Description
TP-Link addressed four vulnerabilities in Omada gateway devices, two of which allow for Remote Code Execution (RCE):
1. **CVE-2025-6541 (OS Command Injection):** Allows an authenticated attacker accessing the web management interface to execute arbitrary OS commands.
2. **CVE-2025-6542 (OS Command Injection):** Allows a **remote unauthenticated attacker** to execute arbitrary OS commands. This is the most critical flaw.
3. **CVE-2025-7850 (OS Command Injection):** Allows an attacker who possesses administrator credentials for the web portal to execute arbitrary OS commands.
4. **CVE-2025-7851 (Improper Privilege Management):** Allows an attacker to obtain a root shell on the underlying operating system under specific, restricted conditions.
In all command injection vulnerabilities, successful exploitation allows attackers to execute arbitrary commands on the device's underlying operating system.
## Exploitation
- Status: No active exploitation in the wild reported, but PoC status is not explicitly detailed (implied high likelihood due to known CVEs).
- Complexity: Varies. CVE-2025-6542 (Unauthenticated RCE) suggests **Low** complexity for remote attack vectors. CVE-2025-6541 and CVE-2025-7850 require authentication/login.
- Attack Vector: Network (for unauthenticated RCE); Adjacent/Local (for authenticated RCE).
## Impact
- Confidentiality: High (Arbitrary code execution can lead to data exfiltration)
- Integrity: High (Ability to modify system files and settings)
- Availability: High (Ability to disable services or brick the device)
## Remediation
### Patches
Users must upgrade to the fixed firmware versions provided by TP-Link. Specific patched versions are not listed in the article, but users must update to versions newer than those listed in the 'Affected Systems' section.
### Workarounds
No specific workarounds were provided in the source document, but immediate patching is strongly advised to eliminate the risk, especially due to the unauthenticated RCE vulnerability (CVE-2025-6542).
## Detection
- Indicators of Compromise: Monitoring for unusual outbound connections, unexpected process execution, or modifications to system configuration files on the gateway device.
- Detection methods and tools: Inspection of web management interface logs for suspicious input vectors indicative of command injection.
## References
- Vendor Advisories: TP-Link Omada Security Advisories (Links provided in the source content but defanged below)
- (support dot omadanetworks dot com/en/document/108455/)
- (support dot omadanetworks dot com/en/document/108456/)
- Relevant links - defanged:
- nvd dot nist dot gov/vuln/detail/CVE-2025-6541
- nvd dot nist dot gov/vuln/detail/CVE-2025-6542
- nvd dot nist dot gov/vuln/detail/CVE-2025-7850
- nvd dot nist dot gov/vuln/detail/CVE-2025-7851