Cyber Posture

CVE-2025-6542

CriticalRCE

Published: 21 October 2025

Published
21 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6542 is a critical-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Er8411 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection vulnerability by requiring timely application of vendor-provided patches for affected TP-Link Omada products.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary OS command execution by enforcing input validation and error handling on network-facing interfaces vulnerable to CWE-78 injection.

SC-7 Boundary Protection partial match
prevent

Limits remote unauthenticated network access to the vulnerable router management interfaces through boundary protection controls.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated remote exploitation of public-facing application (T1190) leading to arbitrary OS command execution on network devices (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.

Deeper analysisAI

CVE-2025-6542 is a critical OS command injection vulnerability (CWE-78) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), published on 2025-10-21T01:15:37.063. It affects TP-Link Omada networking products, including various router models listed under Omada routers, Omada Pro wired routers, and SOHO Festa gateways.

A remote unauthenticated attacker can exploit the vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables execution of arbitrary OS commands on the affected product, resulting in high impacts to confidentiality, integrity, and availability.

Vendor advisories and product details for mitigation, including patches where available, are provided at https://support.omadanetworks.com/en/document/108455/, https://www.omadanetworks.com/us/business-networking/all-omada-router/, https://www.omadanetworks.com/us/business-networking/omada-pro-router-wired-router/, and https://www.tp-link.com/us/business-networking/soho-festa-gateway/.

Details

CWE(s)
CWE-78

Affected Products

tp-link
er8411 firmware
1.3.3 · ≤ 1.3.3
tp-link
er7412-m2 firmware
1.1.0 · ≤ 1.1.0
tp-link
er707-m2 firmware
1.3.1 · ≤ 1.3.1
tp-link
er7206 firmware
2.2.2 · ≤ 2.2.2
tp-link
er605 firmware
2.3.1 · ≤ 2.3.1
tp-link
er706w firmware
1.2.1 · ≤ 1.2.1
tp-link
er706w-4g firmware
1.2.1 · ≤ 1.2.1
tp-link
er7212pc firmware
2.1.3 · ≤ 2.1.3
tp-link
g36 firmware
1.1.4 · ≤ 1.1.4
tp-link
g611 firmware
1.2.2 · ≤ 1.2.2
+3 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-15518Same vendor: Tp-Link
CVE-2026-22224Same vendor: Tp-Link
CVE-2026-22222Same vendor: Tp-Link
CVE-2025-15519Same vendor: Tp-Link
CVE-2026-30815Same vendor: Tp-Link
CVE-2024-57357Same vendor: Tp-Link
CVE-2026-0631Same vendor: Tp-Link
CVE-2026-0654Same vendor: Tp-Link
CVE-2026-30818Same vendor: Tp-Link
CVE-2025-9377Same vendor: Tp-Link

References