Researchers at Forescout’s Vedere Labs have discovered two new vulnerabilities in TP-Link’s Omada and Festa VPN routers that could allow threat actors to perform command injection and unauthorized root access.
These flaws, tracked as CVE-2025-7850 and CVE-2025-7851, are respectively considered critical (CVSS 4.0 of 9.3) and high-severity (CVSS 4.0 of 8.7).
According to a Vedere Labs report published on October 23, these vulnerabilities come from what the researchers described as an incomplete fix of CVE-2024-21827 by TP-Link in 2024 which left debug functionality accessible, meaning that partial remediation created alternate attack paths.
After rooting a TP-Link Omada ER605v2 router, they discovered that the patch addressed CVE-2024-21827, but left two serious caveats:
- The same private key used across multiple devices was required for both root access and firmware signing
- The old “debug code” remained, which meant that if an attacker could create the “image_type_debug” file via another vulnerability or hidden feature, the original root login path could still be exploitable
This issue was reported to TP-Link, which assigned it CVE-2025-7851, as a flaw that allows unauthorized root access to some Omada and Festa VPN routers through residual debug code.
“However, CVE-2025-7851 alone was insufficient for us to root the ER605v2 directly: we didn’t have the private key and the “image_type_debug” file was not present in the public firmware,” the Vedere Labs researchers wrote.
They analyzed the use of LuCI, a Lua-based framework for configuring devices via the web UI or other interfaces, by many TP-Link products with “a history of vulnerabilities.”
The researchers quickly found that the WireGuard VPN settings in the Web UI of the ER605v2 router exposed a private-key field that was not properly sanitized, allowing an authenticated user to inject arbitrary OS commands that the device executes with root privileges. This vulnerability was also reported to TP-Link, which assigned it CVE-2025-7850.
Additionally, the researchers’ analysis revealed that CVE-2025-7850 can be exploited without credentials in certain deployments, with potential exploit scenarios beyond initial local exploitation.
The patches for these two vulnerabilities have now been released by TP-Link.
Vedere Labs recommended users to apply TP-Link’s firmware patches immediately and to add further security controls, including the following:
- Deploying web application firewalls before management interfaces and blocking command injection and web-based attacks
- Disabling remote administration where feasible
- Logging all admin sessions and router traffic and looking out for anomalies and exploitation indicators
- Reviewing vendor support mechanisms on TP-Link devices
Read now: US Bipartisan Committee Urges Investigation Into Chinese Wi-Fi Routers
