cbcvebase.
CVE-2025-6541
published 2025-10-21

CVE-2025-6541: An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.64%
46.1th percentile
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
tp-linker605_firmware< 2.3.12.3.1
tp-linker605_firmware
tp-linker706w-4g_firmware< 1.2.11.2.1
tp-linker706w-4g_firmware
tp-linker706w_firmware< 1.2.11.2.1
tp-linker706w_firmware
tp-linker707-m2_firmware< 1.3.11.3.1
tp-linker707-m2_firmware
tp-linker7206_firmware< 2.2.22.2.2
tp-linker7206_firmware
tp-linker7212pc_firmware< 2.1.32.1.3
tp-linker7212pc_firmware
tp-linker7412-m2_firmware< 1.1.01.1.0
tp-linker7412-m2_firmware
tp-linker8411_firmware< 1.3.31.3.3
tp-linker8411_firmware
tp-linkfr205_firmware< 1.0.31.0.3
tp-linkfr205_firmware
tp-linkfr307-m2_firmware< 1.2.51.2.5
tp-linkfr307-m2_firmware
tp-linkfr365_firmware< 1.1.101.1.10
tp-linkfr365_firmware
tp-linkg36_firmware< 1.1.41.1.4
tp-linkg36_firmware
tp-linkg611_firmware< 1.2.21.2.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-6541 is a command injection vulnerability exploitable by an authenticated user logged into the TP-Link Omada gateway web management interface, allowing arbitrary OS command execution on the device's underlying operating system.
  • Successful exploitation can lead to full device compromise, data theft, lateral movement, and persistence — treat any anomalous outbound connections or new processes spawned from the Omada gateway web management process as high-priority indicators.
  • CVE-2025-6541 affects authenticated sessions on the web management interface; monitor for unusual or unexpected authenticated logins to the Omada gateway web portal, especially from unfamiliar IPs or at odd hours.
  • ·CVE-2025-6541 affects 13 specific TP-Link Omada gateway models; verify your device model and firmware version against the affected list before assuming exposure.
  • ·After applying firmware updates that address CVE-2025-6541, TP-Link recommends verifying device configurations post-upgrade to ensure all settings remain as intended.
  • ·The latest firmware release addresses all four related vulnerabilities (CVE-2025-6541, CVE-2025-6542, CVE-2025-8750, CVE-2025-7851) simultaneously; a single firmware update is sufficient to remediate all.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.