TP-Link reveals more hardware security issues, so patch now or be at risk

News
By published

Networking gear maker patches four important bugs

TP-Link Omada EAP660HD
(Image credit: Future)
  • TP-Link patched four Omada gateway flaws, two rated critical for code execution
  • Three were command injection bugs; one allowed root shell via privilege mismanagement
  • Multiple models affected; one critical flaw requires no authentication for exploitation

Network gear manufacturer TP-Link has patched four vulnerabilities discovered in its Omada gateway products, including two critical severity ones that could allow arbitrary code execution.

In a security advisory, TP-Link said three out of four flaws were command injection vulnerabilities. The fourth one was an improper privilege management flaw.

Both critical-level ones were command injection flaws, and are tracked as CVE-2025-6542, and CVE-2025-7850, with both having a 9.3/10 severity score. For the latter one, an attacker also needs to have admin access to the web portal, while for the former, no authentication is needed.

Numerous models affected

The other two flaws are tracked as CVE-2025-6541 (score 8.6/10), and CVE-2025-7851. The first one is exploitable by users with access to the web management interface, while the second one is the improper privilege management one - allowing threat actors to obtain the root shell on the underlying operating system.

Multiple product models and versions were said to be affected. Here is the entire list:

ER8411 < 1.3.3 Build 20251013 Rel.44647

ER7412-M2 < 1.1.0 Build 20251015 Rel.63594

ER707-M2 < 1.3.1 Build 20251009 Rel.67687

ER7206 < 2.2.2 Build 20250724 Rel.11109

ER605 < 2.3.1 Build 20251015 Rel.78291

ER706W < 1.2.1 Build 20250821 Rel.80909

ER706W-4G < 1.2.1 Build 20250821 Rel.82492

ER7212PC < 2.1.3 Build 20251016 Rel.82571

G36 < 1.1.4 Build 20251015 Rel.84206

G611 < 1.2.2 Build 20251017 Rel.45512

FR365 < 1.1.10 Build 20250626 Rel.81746

FR205 < 1.0.3 Build 20251016 Rel.61376

FR307-M2 < 1.2.5 Build 20251015 Rel.76743

TP-Link did not mention if these flaws were being exploited in the wild or not. However, cybercriminals often wait for companies to release advisories before attacking, knowing that many organizations rarely apply the fixes on time.

Via The Hacker News

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.