Cyber Posture

CVE-2025-6542

Critical

Published: 21 October 2025

Published
21 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

Security Summary

CVE-2025-6542 is a critical OS command injection vulnerability (CWE-78) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), published on 2025-10-21T01:15:37.063. It affects TP-Link Omada networking products, including various router models listed under Omada routers, Omada Pro wired routers, and SOHO Festa gateways.

A remote unauthenticated attacker can exploit the vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables execution of arbitrary OS commands on the affected product, resulting in high impacts to confidentiality, integrity, and availability.

Vendor advisories and product details for mitigation, including patches where available, are provided at https://support.omadanetworks.com/en/document/108455/, https://www.omadanetworks.com/us/business-networking/all-omada-router/, https://www.omadanetworks.com/us/business-networking/omada-pro-router-wired-router/, and https://www.tp-link.com/us/business-networking/soho-festa-gateway/.

Details

CWE(s)
CWE-78

Affected Products

tp-link
er8411 firmware
1.3.3 · ≤ 1.3.3
tp-link
er7412-m2 firmware
1.1.0 · ≤ 1.1.0
tp-link
er707-m2 firmware
1.3.1 · ≤ 1.3.1
tp-link
er7206 firmware
2.2.2 · ≤ 2.2.2
tp-link
er605 firmware
2.3.1 · ≤ 2.3.1
tp-link
er706w firmware
1.2.1 · ≤ 1.2.1
tp-link
er706w-4g firmware
1.2.1 · ≤ 1.2.1
tp-link
er7212pc firmware
2.1.3 · ≤ 2.1.3
tp-link
g36 firmware
1.1.4 · ≤ 1.1.4
tp-link
g611 firmware
1.2.2 · ≤ 1.2.2
+3 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated remote exploitation of public-facing application (T1190) leading to arbitrary OS command execution on network devices (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References