TP-Link has released a security update that addresses four security flaws affecting Omada Gateway devices, including two critical bugs that could lead to the execution of arbitrary code.
The vulnerabilities in question are as follows.
CVE-2025-6541 (CVSS score: 8.6) – Operating system command injection vulnerability. It could be exploited by an attacker who could log into the web management interface and execute arbitrary commands. CVE-2025-6542 (CVSS score: 9.3) – Operating system command injection vulnerability. It may be exploited by a remote unauthenticated attacker to execute arbitrary commands. CVE-2025-7850 (CVSS score: 9.3) – Operating system command injection vulnerability. It could be used by an attacker in possession of the web portal’s administrator password to execute arbitrary commands. CVE-2025-7851 (CVSS score: 8.7) – Improper privilege management vulnerability. It could be exploited by an attacker to obtain the underlying root shell. Operating system under restricted conditions
“An attacker could execute arbitrary commands on the device’s underlying operating system,” TP-Link said in an advisory published Tuesday.
This issue affects the following product models and versions:
ER8411 < 1.3.3 Build 20251013 Rel.44647 ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 ER707-M2 < 1.3.1 Build 20251009 Rel.67687 ER7206 < 2.2.2 Build 20250724 Rel.11109 ER605 < 2.3.1 Build 20251015 Rel.78291 ER706W < 1.2.1 Build 20250821 Rel.80909 ER706W-4G < 1.2.1 Build 20250821 Rel.82492 ER7212PC < 2.1.3 Build 20251016 Rel.82571 G36 < 1.1.4 Build 20251015 Release 84206 G611 < 1.2.2 Build 20251017 Rel.45512 FR365 < 1.1.10 Build 20250626 Rel.81746 FR205 < 1.0.3 Build 20251016 Rel.61376 FR307-M2 < 1.2.5 Build 20251015 Rel.76743
TP-Link does not mention which vulnerabilities are being exploited in the wild, but recommends that users promptly download and update the latest firmware to fix the vulnerabilities.
“Please check your device configuration after a firmware upgrade to ensure that all settings are accurate, secure, and match the intended settings,” it added.
The disclaimer also states that we are not responsible for any consequences that may arise if the aforementioned recommended actions are not followed.
Source link
