Critical Malicious Code Vulnerabilities Threaten TP-Link Omada Gateways

Various Omada TP-Link gateway models are vulnerable. In the worst case, attackers can gain root access to systems or even execute malicious code.

Multiple Security Issues

The developers state in the following advisories that they have closed a total of four security vulnerabilities (CVE-2025-6541 "high", CVE-2025-6542 "critical", CVE-2025-7850 "critical", CVE-2025-7851 "high").

• OS command injection vulnerabilities on Omada gateways (CVE-2025-6541 and CVE-2025-6542)
• OS command injection and root access vulnerabilities on Omada gateways (CVE-2025-7850, CVE-2025-7851)

By successfully exploiting the first two vulnerabilities, remote attackers can execute malicious code without authentication, thus fully compromising systems. How such attacks could proceed in detail is not yet known.

In the third case, attackers can also execute malicious code, but an administrator must already be authenticated for this. The last vulnerability allows attackers to access a root shell. So far, there are no indications that attackers are already exploiting the flaws. However, this can change quickly, and network administrators should react promptly.

Secure Instances

This list shows the specifically threatened models and the respective secured firmware. All previous versions are considered vulnerable.

• ER8411 1.3.3 Build 20251013 Rel.44647
• ER7412-M2 1.1.0 Build 20251015 Rel.63594
• ER707-M2 1.3.1 Build 20251009 Rel.67687
• ER7206 2.2.2 Build 20250724 Rel.11109
• ER605 2.3.1 Build 20251015 Rel.78291
• ER706W 1.2.1 Build 20250821 Rel.80909
• ER706W-4G 1.2.1 Build 20250821 Rel.82492
• ER7212PC 2.1.3 Build 20251016 Rel.82571
• G36 1.1.4 Build 20251015 Rel.84206
• G611 1.2.2 Build 20251017 Rel.45512
• FR365 1.1.10 Build 20250626 Rel.81746
• FR205 1.0.3 Build 20251016 Rel.61376
• FR307-M2 1.2.5 Build 20251015 Rel.76743

(des)