cbcvebase.
CVE-2025-6542
published 2025-10-21

CVE-2025-6542: An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
56.0th percentile
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
tp-linker605_firmware< 2.3.12.3.1
tp-linker605_firmware
tp-linker706w-4g_firmware< 1.2.11.2.1
tp-linker706w-4g_firmware
tp-linker706w_firmware< 1.2.11.2.1
tp-linker706w_firmware
tp-linker707-m2_firmware< 1.3.11.3.1
tp-linker707-m2_firmware
tp-linker7206_firmware< 2.2.22.2.2
tp-linker7206_firmware
tp-linker7212pc_firmware< 2.1.32.1.3
tp-linker7212pc_firmware
tp-linker7412-m2_firmware< 1.1.01.1.0
tp-linker7412-m2_firmware
tp-linker8411_firmware< 1.3.31.3.3
tp-linker8411_firmware
tp-linkfr205_firmware< 1.0.31.0.3
tp-linkfr205_firmware
tp-linkfr307-m2_firmware< 1.2.51.2.5
tp-linkfr307-m2_firmware
tp-linkfr365_firmware< 1.1.101.1.10
tp-linkfr365_firmware
tp-linkg36_firmware< 1.1.41.1.4
tp-linkg36_firmware
tp-linkg611_firmware< 1.2.21.2.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-6542 is a critical (CVSS 9.3) unauthenticated remote command injection vulnerability affecting TP-Link Omada gateway devices. Detection should focus on anomalous or unexpected HTTP requests to the web management interface of affected Omada gateway models (ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, FR307-M2) from unauthenticated sources.
  • Post-exploitation indicators to hunt for include signs of full device compromise, data exfiltration, lateral movement, and persistence mechanisms on affected TP-Link Omada gateway models.
  • ·CVE-2025-6542 affects 13 specific TP-Link Omada gateway models. Verify firmware versions against the affected version list; devices running firmware AT OR BELOW the listed affected versions are vulnerable. The fixed versions listed are the minimum safe firmware builds.
  • ·After applying firmware updates, TP-Link recommends verifying device configurations post-upgrade, as settings may not persist correctly through the update process.
  • ·The latest firmware release addresses all four related vulnerabilities (CVE-2025-6541, CVE-2025-6542, CVE-2025-8750, CVE-2025-7851) across all 13 affected Omada gateway models. Patching to the latest firmware is the recommended remediation for the full vulnerability set.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.