Critical TP-Link Omada Gateway Flaw (CVE-2025-6542, CVSS 9.3) Allows Unauthenticated Remote Command Execution
Ddos 
TP-Link Systems has released a new firmware update addressing four high- and critical-severity vulnerabilities in its popular Omada gateway series, including ER605, ER7206, ER8411, and others widely deployed in enterprise and small business networks. The flaws—identified as CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, and CVE-2025-7851—allow attackers to execute arbitrary operating system commands on affected devices, in some cases without authentication.
According to TP-Link’s advisory, “An arbitrary OS command may be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker.”
The two most critical vulnerabilities are:
- CVE-2025-6542 (CVSS 9.3 – Critical): Enables remote unauthenticated attackers to execute arbitrary OS commands.
- CVE-2025-6541 (CVSS 8.6 – High): Allows authenticated users to execute arbitrary commands through the web management interface.
Both vulnerabilities affect multiple Omada gateway models, exposing network administrators to complete system compromise if left unpatched. TP-Link warns that “Attackers may execute arbitrary commands on the device’s underlying operating system.”
This means that once exploited, an attacker could modify configurations, intercept traffic, or deploy persistent malware within a business network.
In addition to the above, TP-Link has disclosed two related command injection issues affecting the same product line:
- CVE-2025-7850 (CVSS 9.3): A command injection vulnerability may be exploited after the admin’s authentication on the web portal on Omada gateways.
- CVE-2025-7851 (CVSS 8.7): An attacker may obtain the root shell on the underlying with restricted conditions on Omada gateways.
These could enable authenticated users—or anyone who compromises administrator credentials—to gain root-level control, effectively bypassing all device protections.
The following Omada products are impacted by one or more of the above vulnerabilities:
| Model | Affected Versions | Fixed Version |
|---|---|---|
| ER8411 | < 1.3.3 Build 20251013 | ≥ 1.3.3 Build 20251013 (Rel.44647) |
| ER7412-M2 | < 1.1.0 Build 20251015 | ≥ 1.1.0 Build 20251015 (Rel.63594) |
| ER707-M2 | < 1.3.1 Build 20251009 | ≥ 1.3.1 Build 20251009 (Rel.67687) |
| ER7206 | < 2.2.2 Build 20250724 | ≥ 2.2.2 Build 20250724 (Rel.11109) |
| ER605 | < 2.3.1 Build 20251015 | ≥ 2.3.1 Build 20251015 (Rel.78291) |
| ER706W / ER706W-4G | < 1.2.1 Build 20250821 | ≥ 1.2.1 Build 20250821 (Rel.80909 / Rel.82492) |
| ER7212PC | < 2.1.3 Build 20251016 | ≥ 2.1.3 Build 20251016 (Rel.82571) |
| G36 | < 1.1.4 Build 20251015 | ≥ 1.1.4 Build 20251015 (Rel.84206) |
| G611 | < 1.2.2 Build 20251017 | ≥ 1.2.2 Build 20251017 (Rel.45512) |
| FR365 | < 1.1.10 Build 20250626 | ≥ 1.1.10 Build 20250626 (Rel.81746) |
| FR205 | < 1.0.3 Build 20251016 | ≥ 1.0.3 Build 20251016 (Rel.61376) |
| FR307-M2 | < 1.2.5 Build 20251015 | ≥ 1.2.5 Build 20251015 (Rel.76743) |
TP-Link urges all customers to immediately install the latest firmware updates to mitigate the risks associated with these vulnerabilities.
Following the update, administrators should review device configurations and change administrative passwords to prevent potential exploitation through cached or leaked credentials.
Additionally, TP-Link recommends restricting management interface access to trusted networks only and enabling network segmentation where possible.
Donate