TP-Link warns of critical command injection flaw in Omada gateways

TP-Link is warning of two command injection vulnerabilities in Omada gateway devices that could be exploited to execute arbitrary OS commands. Although the two security issues lead to the same result when triggered, only one of them, identified as CVE-2025-6542 with a critical severity rating of 9.3, can be exploited by a remote attacker without authentication. An arbitrary OS command may be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker, reads TP-Link’s advisory. In a separate bulletin, TP-Link warned of two other severe flaws that could allow authenticated command injection and root access under certain conditions.

To read the complete article see: Bleeping Computer