TP-Link Security Update, Omada Gateway Exploits Fixed in October Release
Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.
| OEM | TP-Link |
| Severity | Critical |
| CVSS Score | 9.3 |
| CVEs | CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 |
| Date of Announcement | 2025-10-21 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| OS Command Injection Vulnerability | CVE-2025-6542 | TP-Link Omada Gateways | Critical | 9.3 |
| Command Injection Vulnerability | CVE-2025-7850 | TP-Link Omada Gateways | Critical | 9.3 |
Technical Summary:
TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6542 | TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) | Unauthenticated remote attackers can execute arbitrary OS commands on the device | Remote Code Execution, System Compromise, Malware Deployment |
| CVE-2025-7850 | TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) | Command injection exploitable after admin authentication on the web portal | System Compromise, Root-Level Control |
Additional Vulnerabilities:
The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways –
| Vulnerability Name | CVE ID | Affected Component | Severity |
| Authenticated Arbitrary OS Command Execution in Omada Gateways | CVE-2025-6541 | TP-Link Omada Gateways | High |
| Root Shell Access Under Restricted Conditions in Omada Gateways | CVE-2025-7851 | TP-Link Omada Gateways | High |
Remediation:
Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models.
| Model | Affected Versions | Fixed Version |
| ER8411 | < 1.3.3 Build 20251013 Rel.44647 | >= 1.3.3 Build 20251013 Rel.44647 |
| ER7412-M2 | < 1.1.0 Build 20251015 Rel.63594 | >= 1.1.0 Build 20251015 Rel.63594 |
| ER707-M2 | < 1.3.1 Build 20251009 Rel.67687 | >= 1.3.1 Build 20251009 Rel.67687 |
| ER7206 | < 2.2.2 Build 20250724 Rel.11109 | >= 2.2.2 Build 20250724 Rel.11109 |
| ER605 | < 2.3.1 Build 20251015 Rel.78291 | >= 2.3.1 Build 20251015 Rel.78291 |
| ER706W | < 1.2.1 Build 20250821 Rel.80909 | >= 1.2.1 Build 20250821 Rel.80909 |
| ER706W-4G | < 1.2.1 Build 20250821 Rel.82492 | >= 1.2.1 Build 20250821 Rel.82492 |
| ER7212PC | < 2.1.3 Build 20251016 Rel.82571 | >= 2.1.3 Build 20251016 Rel.82571 |
| G36 | < 1.1.4 Build 20251015 Rel.84206 | >= 1.1.4 Build 20251015 Rel.84206 |
| G611 | < 1.2.2 Build 20251017 Rel.45512 | >= 1.2.2 Build 20251017 Rel.45512 |
| FR365 | < 1.1.10 Build 20250626 Rel.81746 | >= 1.1.10 Build 20250626 Rel.81746 |
| FR205 | < 1.0.3 Build 20251016 Rel.61376 | >= 1.0.3 Build 20251016 Rel.61376 |
| FR307-M2 | < 1.2.5 Build 20251015 Rel.76743 | >= 1.2.5 Build 20251015 Rel.76743 |
Here are some recommendations below
- Restrict network access to the management interface and enable trusted networks only.
- Apply least privilege principles and regular security audits for network devices.
- Disable remote management if not required and segment networks to limit lateral movement.
Conclusion:
There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure.
References: