TP-Link warns of critical flaws in Omada gateways across ER, G, and FR models. Users should update firmware immediately to stay secure.
TP-Link is warning users of critical flaws impacting its Omada gateway devices. The Taiwanese company published two security advisories this week, outlining four vulnerabilities that impacts more than a dozen products across the ER, G, and FR series. The vendor has already released firmware updates to address the issues and urges users to install it immediately.
The most severe vulnerability, tracked as CVE-2025-6542 (CVSS score of 9.3) is an arbitrary OS command impacting Omada gateways.
“An arbitrary OS command may be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker.” reads the advisory. “Attackers may execute arbitrary commands on the device’s underlying operating system.”
The flaw affects the following products and versions:
| Affected Product Model | Affected Version | Fixed Version |
| ER8411 | < 1.3.3 Build 20251013 Rel.44647 | >= 1.3.3 Build 20251013 Rel.44647 |
| ER7412-M2 | < 1.1.0 Build 20251015 Rel.63594 | >= 1.1.0 Build 20251015 Rel.63594 |
| ER707-M2 | < 1.3.1 Build 20251009 Rel.67687 | >= 1.3.1 Build 20251009 Rel.67687 |
| ER7206 | < 2.2.2 Build 20250724 Rel.11109 | >= 2.2.2 Build 20250724 Rel.11109 |
| ER605 | < 2.3.1 Build 20251015 Rel.78291 | >= 2.3.1 Build 20251015 Rel.78291 |
| ER706W | < 1.2.1 Build 20250821 Rel.80909 | >= 1.2.1 Build 20250821 Rel.80909 |
| ER706W-4G | < 1.2.1 Build 20250821 Rel.82492 | >= 1.2.1 Build 20250821 Rel.82492 |
| ER7212PC | < 2.1.3 Build 20251016 Rel.82571 | >= 2.1.3 Build 20251016 Rel.82571 |
| G36 | < 1.1.4 Build 20251015 Rel.84206 | >= 1.1.4 Build 20251015 Rel.84206 |
| G611 | < 1.2.2 Build 20251017 Rel.45512 | >= 1.2.2 Build 20251017 Rel.45512 |
| FR365 | < 1.1.10 Build 20250626 Rel.81746 | >= 1.1.10 Build 20250626 Rel.81746 |
| FR205 | < 1.0.3 Build 20251016 Rel.61376 | >= 1.0.3 Build 20251016 Rel.61376 |
| FR307-M2 | < 1.2.5 Build 20251015 Rel.76743 | >= 1.2.5 Build 20251015 Rel.76743 |
The vendor addressed a second command critical vulnerability, tracked as CVE-2025-7850 (CVSS score of 9.3). The vulnerability is a command injection issue, an attacker could exploit the flaw after the admin’s authentication on the web portal on Omada gateways.
“A command injection vulnerability may be exploited after the admin’s authentication on the web portal on Omada gateways.” reads the advisory.
The flaw affects the following products:
| Affected Product Model | Affected Version | Fixed Version |
| ER8411 | < 1.3.3 Build 20251013 Rel.44647 | >= 1.3.3 Build 20251013 Rel.44647 |
| ER7412-M2 | < 1.1.0 Build 20251015 Rel.63594 | >= 1.1.0 Build 20251015 Rel.63594 |
| ER707-M2 | < 1.3.1 Build 20251009 Rel.67687 | >= 1.3.1 Build 20251009 Rel.67687 |
| ER7206 | < 2.2.2 Build 20250724 Rel.11109 | >= 2.2.2 Build 20250724 Rel.11109 |
| ER605 | < 2.3.1 Build 20251015 Rel.78291 | >= 2.3.1 Build 20251015 Rel.78291 |
| ER706W | < 1.2.1 Build 20250821 Rel.80909 | >= 1.2.1 Build 20250821 Rel.80909 |
| ER706W-4G | < 1.2.1 Build 20250821 Rel.82492 | >= 1.2.1 Build 20250821 Rel.82492 |
| ER7212PC | < 2.1.3 Build 20251016 Rel.82571 | >= 2.1.3 Build 20251016 Rel.82571 |
| G36 | < 1.1.4 Build 20251015 Rel.84206 | >= 1.1.4 Build 20251015 Rel.84206 |
| G611 | < 1.2.2 Build 20251017 Rel.45512 | >= 1.2.2 Build 20251017 Rel.45512 |
| FR365 | < 1.1.10 Build 20250626 Rel.81746 | >= 1.1.10 Build 20250626 Rel.81746 |
| FR205 | < 1.0.3 Build 20251016 Rel.61376 | >= 1.0.3 Build 20251016 Rel.61376 |
| FR307-M2 | < 1.2.5 Build 20251015 Rel.76743 | >= 1.2.5 Build 20251015 Rel.76743 |
The two additional vulnerabilities fixed by the vendor are:
- CVE-2025-7851 (CVSS score of 8.7) – root access vulnerabilities on Omada. An attacker may obtain the root shell on the underlying with the restricted conditions on Omada gateways.
- CVE-2025-6541 (CVSS score of 8.6) – An arbitrary OS command may be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker.
TP-Link is urging all users to take immediate action:
- Install the latest firmware updates available on TP-Link’s support site.
- Change default or weak passwords on all affected Omada gateways.
- Restrict access to the device’s management interface, ideally limiting it to trusted internal networks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TP-Link)
