TP-Link has issued vital security updates for its Omada gateway devices, addressing four distinct security vulnerabilities. The patches, released on October 22, 2025, target flaws, including two critical bugs that could result in arbitrary code execution on affected systems.

Critical Remote Code Execution Flaws Addressed

Among the patched vulnerabilities, two stand out due to their high severity and potential for remote code execution. CVE-2025-6542, assigned a CVSS score of 9.3, is an operating system command injection vulnerability. This flaw could be exploited by a remote unauthenticated attacker to run arbitrary commands on the Omada gateway device. Another critical vulnerability, CVE-2025-7850, also rated with a CVSS score of 9.3, involves an operating system command injection. An attacker in possession of an administrator password for the web portal could exploit this to run arbitrary commands.

Additional Security Vulnerabilities Patched

TP-Link also addressed two other significant security issues. CVE-2025-6541, with a CVSS score of 8.6, is an operating system command injection vulnerability. Exploitation of this flaw requires an attacker to log in to the web management interface, after which they could run arbitrary commands. The fourth vulnerability, CVE-2025-7851, carrying a CVSS score of 8.7, concerns improper privilege management. This particular flaw could be exploited by an attacker to obtain the root shell on the underlying operating system of the device. TP-Link’s security updates are designed to mitigate these identified risks across its Omada gateway product line.

Source: https://thehackernews.com/2025/10/tp-link-patches-four-omada-gateway.html