(Untitled)

Four vulnerabilities affecting 13 Omada gateway models enable attackers to execute commands and gain root access—some requiring no authentication

TP-Link has issued urgent security advisories warning that critical vulnerabilities in its Omada gateway lineup could allow attackers to completely compromise business networks, steal data, and establish persistent backdoors.

The flaws affect 13 models of Omada gateways—devices marketed as all-in-one router, firewall, and VPN solutions for small and medium-sized businesses—creating a significant security risk for organizations relying on these systems for network perimeter defense.

Most Critical: No Authentication Required

The most severe vulnerability, CVE-2025-6542, scores 9.3 out of 10 on the CVSS severity scale and can be exploited remotely without any authentication. This means an attacker on the internet could potentially compromise vulnerable gateways without needing login credentials or prior access to the network.

"A remote unauthenticated attacker can execute arbitrary commands on Omada gateways," TP-Link states in its security advisory, adding that attackers "can execute arbitrary commands in the device's underlying operating system."

A second critical flaw, CVE-2025-6541 (CVSS 8.6), requires access to the administrative web interface but similarly enables arbitrary command execution. Together, these vulnerabilities create multiple pathways for attackers to gain complete control over affected devices.

Full Device Compromise

Successful exploitation of these vulnerabilities could enable attackers to:

• Execute arbitrary commands with elevated privileges on the gateway's underlying Linux OS
• Steal sensitive data including network configurations, VPN credentials, and traffic logs
• Move laterally through connected networks after compromising the perimeter device
• Establish persistence by creating backdoors that survive reboots and firmware updates
• Manipulate network traffic by modifying firewall rules and routing tables

For businesses using these gateways as their primary network security device, such compromises could expose entire internal networks to attack.

Two Additional Critical Flaws

In a separate advisory, TP-Link disclosed two more critical vulnerabilities affecting the same gateway models:

CVE-2025-8750 (CVSS 9.3) enables command injection through the Omada web portal by attackers who possess administrator credentials. While authentication is required, compromised or weak admin passwords—a common issue in business environments—would allow exploitation.

CVE-2025-7851 (CVSS 8.7) permits attackers to obtain root shell access to the underlying OS, albeit within the privilege context of the Omada service. While somewhat limited compared to full root access, this level of control still enables significant malicious activity.

Affected Models

The vulnerabilities impact 13 Omada gateway models across TP-Link's ER, G, and FR series:

• ER Series: ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC
• G Series: G36, G611
• FR Series: FR365, FR205, FR307-M2

Multiple firmware versions are affected, though TP-Link has not specified which versions are vulnerable in its public advisories.

Patches Available

TP-Link has released firmware updates addressing all four vulnerabilities simultaneously. The company "strongly recommends" users apply patches immediately and review device configurations following the update to ensure security settings remain intact.

The updates are available through TP-Link's support website and can typically be applied through the Omada web interface or controller software.

What Organizations Should Do

Given the critical severity and potential for network-wide compromise, security experts recommend immediate action:

1. Patch immediately: Download and install the latest firmware for all affected Omada gateway models
2. Verify configurations: Review firewall rules, VPN settings, and user accounts after updating
3. Change credentials: Update all administrative passwords, especially if devices have been exposed to the internet
4. Review logs: Check system and access logs for suspicious activity that may indicate prior compromise
5. Segment networks: Ensure proper network segmentation to limit damage if perimeter devices are compromised
6. Restrict management access: If not already configured, limit web interface access to trusted IP addresses only

Organizations unable to patch immediately should consider placing affected gateways behind additional security controls or temporarily restricting their internet exposure until updates can be applied.

Why This Matters

Network gateways represent a critical security boundary between internal networks and the internet. When these devices are compromised, attackers gain a strategic foothold that bypasses many internal security controls.

The presence of unauthenticated remote code execution vulnerabilities in business-focused network equipment is particularly concerning. Unlike vulnerabilities requiring extensive user interaction or pre-existing access, CVE-2025-6542 could theoretically be exploited at scale by scanning for vulnerable devices exposed to the internet.

For small and medium-sized businesses—the target market for Omada gateways—such compromises could be catastrophic. These organizations often lack dedicated security teams to detect and respond to sophisticated intrusions, making prevention through timely patching essential.

Broader Context

This disclosure follows a pattern of critical vulnerabilities discovered in networking equipment from major manufacturers. In recent years, enterprise and SMB network devices have become high-value targets for both cybercriminals and nation-state actors seeking persistent network access.

TP-Link's decision to issue separate advisories for the vulnerabilities—despite them affecting the same devices and being addressed in the same updates—may reflect different discovery timelines or researcher disclosures.

The company has not disclosed whether these vulnerabilities have been exploited in the wild, nor has it provided information about who discovered the flaws or whether they were reported through coordinated disclosure processes.

The Bottom Line

With CVSS scores ranging from 8.6 to 9.3, these vulnerabilities represent severe security risks requiring urgent attention. Organizations using TP-Link Omada gateways should treat patching as a top priority and assume that exploitation attempts may already be underway.

The availability of patches for all affected models means there's no excuse for delay. In the current threat landscape, internet-facing network equipment with known critical vulnerabilities can be targeted within hours of public disclosure.

For IT administrators managing these devices: patch now, verify configurations, and monitor for signs of compromise. The stakes—complete network compromise—are too high to wait.