CVE-2025-6542
published 2025-10-21CVE-2025-6542: An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
56.0th percentile
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | er605_firmware | < 2.3.1 | 2.3.1 |
| tp-link | er605_firmware | — | — |
| tp-link | er706w-4g_firmware | < 1.2.1 | 1.2.1 |
| tp-link | er706w-4g_firmware | — | — |
| tp-link | er706w_firmware | < 1.2.1 | 1.2.1 |
| tp-link | er706w_firmware | — | — |
| tp-link | er707-m2_firmware | < 1.3.1 | 1.3.1 |
| tp-link | er707-m2_firmware | — | — |
| tp-link | er7206_firmware | < 2.2.2 | 2.2.2 |
| tp-link | er7206_firmware | — | — |
| tp-link | er7212pc_firmware | < 2.1.3 | 2.1.3 |
| tp-link | er7212pc_firmware | — | — |
| tp-link | er7412-m2_firmware | < 1.1.0 | 1.1.0 |
| tp-link | er7412-m2_firmware | — | — |
| tp-link | er8411_firmware | < 1.3.3 | 1.3.3 |
| tp-link | er8411_firmware | — | — |
| tp-link | fr205_firmware | < 1.0.3 | 1.0.3 |
| tp-link | fr205_firmware | — | — |
| tp-link | fr307-m2_firmware | < 1.2.5 | 1.2.5 |
| tp-link | fr307-m2_firmware | — | — |
| tp-link | fr365_firmware | < 1.1.10 | 1.1.10 |
| tp-link | fr365_firmware | — | — |
| tp-link | g36_firmware | < 1.1.4 | 1.1.4 |
| tp-link | g36_firmware | — | — |
| tp-link | g611_firmware | < 1.2.2 | 1.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-6542 is a critical (CVSS 9.3) unauthenticated remote command injection vulnerability affecting TP-Link Omada gateway devices. Detection should focus on anomalous or unexpected HTTP requests to the web management interface of affected Omada gateway models (ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, FR307-M2) from unauthenticated sources. ↗
- →Post-exploitation indicators to hunt for include signs of full device compromise, data exfiltration, lateral movement, and persistence mechanisms on affected TP-Link Omada gateway models. ↗
- ·CVE-2025-6542 affects 13 specific TP-Link Omada gateway models. Verify firmware versions against the affected version list; devices running firmware AT OR BELOW the listed affected versions are vulnerable. The fixed versions listed are the minimum safe firmware builds. ↗
- ·After applying firmware updates, TP-Link recommends verifying device configurations post-upgrade, as settings may not persist correctly through the update process. ↗
- ·The latest firmware release addresses all four related vulnerabilities (CVE-2025-6541, CVE-2025-6542, CVE-2025-8750, CVE-2025-7851) across all 13 affected Omada gateway models. Patching to the latest firmware is the recommended remediation for the full vulnerability set. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
TP-Link warns of critical command injection flaw in Omada gateways
blogs_bleepingcomputer·2025-10-21·CVSS 8.6
[HIGH] TP-Link warns of critical command injection flaw in Omada gateways
## TP-Link warns of critical command injection flaw in Omada gateways
## Bill Toulas
TP-Link is warning of two command injection vulnerabilities in Omada gateway devices that could be exploited to execute arbitrary OS commands.
Omada gateways are marketed as full-stack solutions (router, firewall, VPN gateway) for small to medium businesses, and are constantly increasing in popularity.
Although the two security issues lead to the same result when triggered, only one of them, identified as CVE-2025-6542 with a critical severity rating of 9.3, can be exploited by a remote attacker without authentication.
The second flaw is tracked as CVE-2025-6541 and received a lower severity score of 8.6. However, it can be exploited only if the attacker can log into the web management interface.
“An
Bugzilla
CVE-2023-53494 kernel: crypto: xts - Handle EBUSY correctly
bugzilla·2025-10-01·CVSS 7.8
CVE-2023-53494 [HIGH] CVE-2023-53494 kernel: crypto: xts - Handle EBUSY correctly
CVE-2023-53494 kernel: crypto: xts - Handle EBUSY correctly
In the Linux kernel, the following vulnerability has been resolved:
crypto: xts - Handle EBUSY correctly
As it is xts only handles the special return value of EINPROGRESS,
which means that in all other cases it will free data related to the
request.
However, as the caller of xts may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way. Otherwise backlogged
requests will trigger a use-after-free.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2023-53494-6542@gregkh/T
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:19409 https://access.redhat.com/errata/RHSA-2025:19409
---
This issue has been addresse
2025-10-21
Published