TP-Link warns of four critical vulnerabilities in Omada gateways that allow arbitrary command execution and root access. More than ten models in the ER, G, and FR series are affected, and TP-Link has released firmware updates for each of them.
Omada gateways are positioned as comprehensive solutions (router, firewall, VPN gateway) for small and medium-sized businesses.
The most dangerous of the identified issues is the critical CVE-2025-6542 (CVSS score 9.3). This bug can be exploited by a remote attacker without authentication. The second vulnerability, CVE-2025-6541 (CVSS score 8.6), requires logging into the web management interface. Both issues can lead to full device compromise, data theft, attacker lateral movement, and persistence in the system.
“A user with access to the web interface or a remote unauthenticated attacker can execute arbitrary commands on Omada gateways,” the TP-Link security advisory states. “Attackers can execute arbitrary commands in the device’s underlying OS.”
The vulnerabilities affect 13 Omada gateway models, including ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, and FR307-M2, across various firmware versions.
TP-Link has released updates that fix both vulnerabilities and strongly recommends that users apply the patches as soon as possible and check their device configurations after the update.
Additionally, in a separate security advisory, the company warned about two other vulnerabilities:
- CVE-2025-8750 (CVSS score 9.3) allows an attacker with the administrator password to inject commands via the Omada web portal;
- CVE-2025-7851 (CVSS score 8.7) allows obtaining root shell access on the underlying OS, but within Omada’s privilege boundaries.
These two vulnerabilities also affect all the above-listed Omada gateway models. It is emphasized that the latest firmware addresses all four issues at once.