TP-Link Router Command Injection and Root Access Vulnerabilities

CVE-2025-7850: This is a command injection vulnerability that can be exploited after an administrator logs into the web portal of TP-Link Omada gateways. It allows attackers to inject and execute arbitrary operating system commands via the web interface.

CVE-2025-7851: This flaw enables attackers to gain root shell access to the underlying system of Omada gateways. Which can be chained with CVE-2025-7850 or other vulnerabilities to deepen the compromise.

For successful exploitation of CVE-2025-7850 to be possible, it requires authenticated access to the web portal with admin privileges. However, no other user interaction is needed beyond the login.

CVE

CVE-2025-7850
CVE-2025-7851

Affected Products

ER8411 < 1.3.3 Build 20251013 Rel.44647

ER7412-M2 < 1.1.0 Build 20251015 Rel.63594

ER707-M2 < 1.3.1 Build 20251009 Rel.67687

ER7206 < 2.2.2 Build 20250724 Rel.11109

ER605 < 2.3.1 Build 20251015 Rel.78291

ER706W < 1.2.1 Build 20250821 Rel.80909

ER706W-4G < 1.2.1 Build 20250821 Rel.82492

ER7212PC < 2.1.3 Build 20251016 Rel.82571

G36 < 1.1.4 Build 20251015 Rel.84206

G611 < 1.2.2 Build 20251017 Rel.45512

FR365 < 1.1.10 Build 20250626 Rel.81746

FR205 < 1.0.3 Build 20251016 Rel.61376

FR307-M2 < 1.2.5 Build 20251015 Rel.76743

Exploitation

Exploitation has been detected in the wild, and a proof-of-concept (PoC) exploit seems to have previously been publicly available[2].

Recommended Actions

Truesec recommends applying the latest TP-Link firmware patches as soon as available.

Deploy web application firewalls in front of management interfaces to filter malicious traffic and prevent command injection and other web-based exploits.

Where possible, disable remote administration to reduce exposure. For essential access, enforce VPN usage and implement stringent access controls to safeguard management interfaces.
References

[1] https://support.omadanetworks.com/us/document/108456/
[2] https://github.com/ByteHawkSec/CVE-2025-7850-POC