TP-Link patches critical Omada gateway vulnerabilities

On October 21, 2025, TP-Link released firmware updates to address four vulnerabilities affecting a wide range of Omada gateway models including ER605, ER7206, ER8411, and others. TP-Link Omada gateways are commonly deployed in small and medium-sized enterprise networks and managed service provider (MSP) environments. These devices provide centralized control over routers, switches, and wireless access points.

The most critical issue, CVE-2025-6542, is due to improper input validation in the backend service. This vulnerability allows remote, unauthenticated users to execute malicious commands and gain full control of the affected device. Exploitation can be achieved via malicious HTTP requests to the device’s web interface, and does not require credentials or prior access. It carries a Common Vulnerability Scoring System (CVSS) base score of 9.3 out of 10, and is categorized as critical.

Another critical flaw, CVE-2025-7850, could enable a user with admin credentials to execute malicious commands on the device. It also affects the web management interface and is caused by insufficient sanitization of user input. While the CVSS score is also 9.3, exploitation of this flaw requires valid credentials, reducing the likelihood of opportunistic attacks. Successful exploitation could result in full control of the device and compromise of connected infrastructure.

CVE-2025-6541 allows a low-privilege user authenticated into the web management interface to execute malicious operating system commands. Although exploitation requires valid credentials, the flaw enables privilege escalation and can lead to full device takeover. The CVSS base score is 8.6, indicating high severity. Successful exploitation could result in privilege escalation and full compromise of the affected device.

CVE-2025-7851 could allow an unauthorized user to obtain a root shell on the underlying system of affected Omada gateways under restricted conditions. Due to insufficient access controls in the web management interface, they can obtain unauthorized access to sensitive configuration data. The CVSS score of 8.7 out of 10 was assigned to this vulnerability, a high severity rating.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Network gateway devices, such as firewalls, VPN concentrators, and edge routers, have repeatedly been targeted by threat actors due to their privileged position in enterprise environments. Vulnerabilities in these systems often allow threat actors to bypass perimeter defenses, establish foothold, and move laterally across internal networks. Past incidents show that flaws in gateway technologies have been exploited to deploy ransomware, steal sensitive data, and maintain long-term persistence.

Organizations using affected Omada gateway models are advised to upgrade to the latest firmware versions. Firmware updates are available from TP-Link’s Support portal.

Where immediate patching is not feasible, access to the web management interface should be restricted to trusted internal networks or secured via VPN. Enforcing strong, unique administrative credentials and monitoring for unauthorized access attempts can reduce exposure to this threat.