Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: Remote command injection in TP-Link Omada Gateway devices can be exploited to gain full system control, Patch Immediately!
Image
Published : 21/10/2025
* Last update: 21/10/2025
* Affected software: TP-Link Omada Gateways, including:
→ ER8411 < 1.3.3 Build 20251013
→ ER7412-M2 < 1.1.0 Build 20251015
→ ER707-M2 < 1.3.1 Build 20251009
→ ER7206 < 2.2.2 Build 20250724
→ ER605 < 2.3.1 Build 20251015
→ ER706W / ER706W-4G < 1.2.1 Build 20250821
→ ER7212PC < 2.1.3 Build 20251016
→ G36 < 1.1.4 Build 20251015
→ G611 < 1.2.2 Build 20251017
→ FR365 < 1.1.10 Build 20250626
→ FR205 < 1.0.3 Build 20251016
→ FR307-M2 < 1.2.5 Build 20251015* Type:
→ CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
* CVE/CVSS
→ CVE-2025-6542: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
→ CVE-2025-7850: CVSS 9.3 (CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H)
→ CVE-2025-6541: CVSS 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Sources
Omada (TP-Link): https://support.omadanetworks.com/en/document/108455/
Omada (TP-Link): https://support.omadanetworks.com/en/document/108456/
Risks
TP-Link Omada Gateway devices provide routing and network-edge services for business networks. Exploiting CVE-2025-6542 could allow a remote, unauthenticated attacker to execute arbitrary operating-system commands on the gateway device, effectively compromising the system. This could impact confidentiality (exfiltration of configuration data or network traffic), integrity (alteration of routing rules or firmware), and availability (service disruption or full device control).
Description
CVE-2025-6542 is a critical remote OS command-injection vulnerability (CWE-78) in TP-Link’s Omada Gateway product line. The flaw resides in the web management interface of the gateway, where certain user-supplied parameters are not properly sanitized, allowing an unauthenticated attacker to craft inputs that result in arbitrary OS command execution. Because no credentials are required and the attack vector is remote (network access to management interface), the exploitation barrier is very low.
CVE-2025-7850: This is another command-injection vulnerability in the Omada gateway line, exploitable after administrator authentication on the web portal. The attacker with admin credentials can execute OS commands on the device, effectively compromising the system.
CVE-2025-6541: This vulnerability allows a logged-in authenticated user of the web management interface to execute arbitrary operating-system commands. Although the attacker must have valid credentials, it remains highly dangerous because it permits device takeover.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.
References
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6542
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7850
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6541