TP‑Link warns of critical command injection flaw in Omada gateways
Date of Data Posted:
2025‑10‑21
What You Need to Be Aware Of
- Two separate command‑injection vulnerabilities (CVE‑2025‑6542 and CVE‑2025‑6541) allow attackers to execute arbitrary OS commands on affected Omada gateways.
- CVE‑2025‑6542 is a remote unauthenticated flaw with a critical severity of 9.3; CVE‑2025‑6541 requires web‑interface login and has a severity of 8.6.
- The flaws affect 13 gateway models (ER8411, ER7412‑M2, ER707‑M2, ER7206, ER605, ER706W, ER706W‑4G, ER7212PC, G36, G611, FR365, FR205, FR307‑M2) in specific firmware ranges.
- Exploitation can lead to full device compromise, lateral movement, data theft, and persistence on the network.
How It Might Effect You
- If you run any of the impacted Omada gateway models, an attacker could take control of your network router, firewall, or VPN gateway without needing credentials.
- A compromised gateway can expose internal traffic, allow attackers to pivot into other systems, and provide a foothold for further attacks such as ransomware or data exfiltration.
Mitigation Steps
- Immediate Actions –
- Download and install the latest firmware from TP‑Link’s official support site for your specific model (the update addresses all four identified CVEs).
- Verify that post‑upgrade settings match your intended configuration; reset any overridden parameters if necessary.
- Long‑Term Measures –
- Implement network segmentation so that critical management interfaces are isolated from the rest of the LAN.
- Enforce strong, unique passwords for the web interface and enable two‑factor authentication where available.
- Regularly monitor device logs for anomalous command execution or unexpected reboots.
Sources
– TP‑Link warns of critical command injection flaw in Omada gateways –2025‑10‑21
Risk Assessment
The remote unauthenticated vulnerability (CVE‑2025‑6542) warrants a High risk rating. Prompt firmware updates are essential to mitigate potential full network compromise.