CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Command Injection Vulnerabilities in TP-Link Omada Gateways

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

TP-Link Omada and Festa VPN routers are affected by six critical command injection vulnerabilities, including newly discovered CVE-2025-7850 and CVE-2025-7851. These flaws allow for arbitrary OS command execution and root access, potentially leading to full compromise, data theft, lateral movement, and persistence. The vulnerabilities affect multiple Omada gateway models and firmware versions. Firmware updates have been released to address these issues. TP-Link Omada gateways are full-stack solutions for small to medium businesses, including router, firewall, and VPN gateway functionalities. The flaws, CVE-2025-6542 and CVE-2025-6541, can be exploited remotely without authentication or via the web management interface. Two additional severe flaws, CVE-2025-8750 and CVE-2025-7851, can allow authenticated command injection and root access under certain conditions. The newly discovered vulnerabilities, CVE-2025-7850 and CVE-2025-7851, are due to an incomplete fix of a previous vulnerability, CVE-2024-21827, leaving residual debug code and insecure private key usage.

Timeline

  1. 23.10.2025 14:30 1 articles · 4h ago

    Forescout’s Vedere Labs discover new vulnerabilities in TP-Link Omada and Festa VPN routers

    Researchers at Forescout’s Vedere Labs have discovered two new vulnerabilities, CVE-2025-7850 and CVE-2025-7851, in TP-Link Omada and Festa VPN routers. These flaws, tracked with CVSS 4.0 scores of 9.3 and 8.7, respectively, allow for command injection and unauthorized root access. The vulnerabilities stem from an incomplete fix of a previous flaw, CVE-2024-21827, leaving residual debug code and insecure private key usage. The article details the specifics of these vulnerabilities, their potential impact, and the recommended security controls for mitigation.

    Show sources
    Open in new tab
  2. 22.10.2025 00:11 3 articles · 1d ago

    TP-Link Omada gateways affected by critical command injection vulnerabilities

    The article confirms the critical command injection vulnerabilities in TP-Link Omada gateways, detailing the specific models and firmware versions affected. It reiterates the severity of the flaws and the importance of applying the released firmware updates to mitigate the risks. The vulnerabilities affect the following Omada gateway models and firmware versions: ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, FR307-M2. Additionally, the article reports two new vulnerabilities, CVE-2025-7850 and CVE-2025-7851, discovered by Forescout’s Vedere Labs, which allow for command injection and unauthorized root access due to an incomplete fix of a previous vulnerability, CVE-2024-21827.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Arbitrary File Read Vulnerability in Slider Revolution Plugin

A vulnerability in the Slider Revolution plugin for WordPress, tracked as CVE-2025-9217, allows authenticated users with contributor-level permissions or higher to read sensitive files on the server. The flaw affects all versions up to 6.7.36 and stems from insufficient validation in the 'used_svg' and 'used_images' parameters. The issue was discovered by an independent researcher and disclosed through the Wordfence Bug Bounty Program. The developer, ThemePunch, released a patch on August 28, 2025. The vulnerability could expose confidential server data, including database credentials and cryptographic keys. Slider Revolution is widely used, with over 4 million active installations. Security experts recommend updating to the latest version to mitigate the risk.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

TP-Link Router Vulnerabilities Actively Exploited in the Wild

Two security flaws in TP-Link routers are being actively exploited. The vulnerabilities affect multiple router models, including the TL-WR841N and Archer C7. The flaws allow for authentication bypass and remote code execution, respectively. Affected models have reached end-of-life status, and users are advised to upgrade to newer hardware. The exploits are linked to the Quad7 botnet and a China-linked threat actor, Storm-0940. Federal agencies must apply mitigations by September 24, 2025. The vulnerabilities are CVE-2023-50224 and CVE-2025-9377. TP-Link has released firmware updates to address these issues. The affected routers have reached end-of-service status, and users are advised to upgrade to newer hardware for enhanced protection.

Open in new tab

Active exploitation of TP-Link and WhatsApp vulnerabilities added to KEV catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog amid active exploitation. The flaws affect TP-Link TL-WA855RE Wi-Fi Ranger Extender products and WhatsApp. The TP-Link flaw (CVE-2020-24363) allows unauthenticated attackers on the same network to reset the device and gain administrative access. The WhatsApp flaw (CVE-2025-55177) was exploited in a targeted spyware campaign in conjunction with an Apple vulnerability (CVE-2025-43300). CISA has advised federal agencies to apply mitigations by September 23, 2025. The TP-Link product has reached end-of-life (EoL) status, meaning it will not receive further patches or updates. There are no reports of in-the-wild exploitation of CVE-2020-24363 prior to CISA’s warning, but proof-of-concept (PoC) exploit code has been publicly available since July 2020.

Open in new tab