TP-Link Omada Gateway Vulnerabilities Allow Remote Code Execution
TP-Link has released security updates to address four critical vulnerabilities affecting its Omada gateway devices, with two of these flaws enabling remote code execution. The most severe of these vulnerabilities, CVE-2025-6542, carries a CVSS score of 9.3 and allows remote unauthenticated attackers to execute arbitrary commands on the device's underlying operating system. Another critical flaw, CVE-2025-6541, is an operating system command injection vulnerability that can be exploited by attackers with access to the web management interface. CVE-2025-7850, also with a CVSS score of 9.3, requires possession of an administrator password to exploit, but similarly allows arbitrary command execution. The fourth vulnerability, CVE-2025-7851, involves improper privilege management and could enable attackers to obtain a root shell under certain conditions. Affected models include ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, and FR307-M2, with specific firmware versions listed as vulnerable. TP-Link has advised all users of impacted devices to immediately update to the latest firmware versions to mitigate these risks. The company also recommends verifying device configurations after upgrading the firmware to ensure security settings remain intact. There is currently no evidence that these vulnerabilities have been exploited in the wild, but the critical nature of the flaws and the potential for remote, unauthenticated exploitation make prompt patching essential. The vulnerabilities could allow attackers to gain full control over affected devices, potentially enabling lateral movement within networks or use of the devices as a foothold for further attacks. The flaws were disclosed in a coordinated manner, and TP-Link responded by releasing patches and advisories to inform customers. Security researchers have highlighted the risk posed by these vulnerabilities, especially in environments where Omada gateways are used to manage network traffic and security. Organizations using these devices should prioritize patching and review their network segmentation to limit potential exposure. The vulnerabilities underscore the importance of regular firmware updates and strong administrative credential management for network infrastructure devices. TP-Link's advisory provides detailed instructions for identifying affected models and applying the necessary updates. The disclosure has prompted renewed attention to the security of network gateways and the need for ongoing vigilance in monitoring for new vulnerabilities. Security teams are urged to monitor for signs of compromise and to ensure that all network devices are included in vulnerability management programs. The incident serves as a reminder of the critical role that timely patching plays in defending against remote exploitation threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Additional major TP-Link VPN router vulnerabilities are reported
Researchers publicly reported major vulnerabilities affecting TP-Link VPN routers, expanding concern beyond the initially highlighted Omada Gateway issues. The report indicated broader security weaknesses in TP-Link networking products.
TP-Link patches four Omada Gateway vulnerabilities
TP-Link released fixes for four vulnerabilities affecting Omada Gateway products, including two flaws that could enable remote code execution. This patch release marked the vendor's official remediation response to the disclosed issues.
Critical TP-Link Omada Gateway flaw CVE-2025-6542 is disclosed
A critical vulnerability tracked as CVE-2025-6542 affecting TP-Link Omada Gateway devices was publicly disclosed. The flaw was described as an unauthenticated remote command execution issue with a CVSS score of 9.3.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Major Vulnerabilities Found in TP-Link VPN Routers
infosecurity-magazine.com
Open sourceTP-Link Patches Four Omada Gateway Flaws, Two Allow Remote Code Execution
thehackernews.com
Open sourceCritical TP-Link Omada Gateway Flaw (CVE-2025-6542, CVSS 9.3) Allows Unauthenticated Remote Command Execution
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, **CVE-2026-5509**, affecting **Archer BE450 v1** and **BE7200 v1** routers. The vulnerability in the web management interface carries a **CVSS 8.5** score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than **`1.3.0 Build 20260416`** are vulnerable and urged customers to install the latest firmware from its regional support portals. The disclosure follows broader reporting on security weaknesses affecting **TP-Link Archer NX** routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Jun 2, 2026
Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer `NX200`, `NX210`, `NX500`, and `NX600` routers are affected by two high-severity command injection vulnerabilities, tracked as **CVE-2025-15518** and **CVE-2025-15519**. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device. The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the **confidentiality, integrity, and availability** of affected routers. Both issues are classified as `CWE-78` and were published as new CVE records with high-impact `CVSS v4.0` scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Mar 23, 2026
Critical Command Injection Flaws Expose Totolink A7100RU and A8000RU Routers
Two Totolink router models, **A7100RU** and **A8000RU**, were disclosed with critical OS command injection vulnerabilities in the CGI handler endpoint `/cgi-bin/cstecgi.cgi`. The flaws affect the `setVpnPassCfg` function and stem from improper handling of the `pptpPassThru` argument, allowing attackers to inject operating system commands remotely. The issues were assigned **CVE-2026-5850** for the A7100RU running firmware `7.4cu.2313_b20191024` and **CVE-2026-7037** for the A8000RU running firmware `7.1cu.643_b20200521`. Both vulnerabilities are classified under **CWE-78** and **CWE-77**, and were reported as remotely exploitable without privileges or user interaction. The disclosures indicate that **public exploits are available**, materially raising the risk of opportunistic compromise of exposed devices. Severity scoring across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** places the flaws at critical or maximum-impact levels, making internet-facing Totolink routers running the affected firmware high-priority targets for remediation or isolation.
Apr 26, 2026