{"id":3357,"date":"2025-10-24T09:00:44","date_gmt":"2025-10-24T09:00:44","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/24\/major-vulnerabilities-found-in-tp-link-vpn-routers\/"},"modified":"2025-10-24T09:00:44","modified_gmt":"2025-10-24T09:00:44","slug":"major-vulnerabilities-found-in-tp-link-vpn-routers","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/24\/major-vulnerabilities-found-in-tp-link-vpn-routers\/","title":{"rendered":"Major Vulnerabilities Found in TP-Link VPN Routers"},"content":{"rendered":"
\n

Researchers at Forescout\u2019s Vedere Labs have discovered two new vulnerabilities in TP-Link\u2019s Omada and Festa VPN routers that could allow threat actors to perform command injection and unauthorized root access.<\/p>\n

These flaws, tracked as CVE-2025-7850 and CVE-2025-7851, are respectively considered critical (CVSS 4.0 of 9.3) and high-severity (CVSS 4.0 of 8.7).<\/p>\n

According to a Vedere Labs report published on October 23, these vulnerabilities come from what the researchers described as an incomplete fix of CVE-2024-21827 by TP-Link in 2024\u00a0which left debug functionality accessible, meaning that partial remediation created alternate attack paths.<\/p>\n

After rooting a TP-Link Omada ER605v2 router, they discovered that the patch addressed CVE-2024-21827, but left two serious caveats:<\/p>\n

    \n
  1. The same private key used across multiple devices was required for both root access and firmware signing<\/li>\n
  2. The old \u201cdebug code\u201d remained, which meant that if an attacker could create the \u201cimage_type_debug<\/em>\u201d file via another vulnerability or hidden feature, the original root login path could still be exploitable<\/li>\n<\/ol>\n

    This issue was reported to TP-Link, which assigned it CVE-2025-7851, as a flaw that allows unauthorized root access to some Omada and Festa VPN routers through residual debug code.<\/p>\n

    \u201cHowever, CVE-2025-7851 alone was insufficient for us to root the ER605v2 directly: we didn\u2019t have the private key and the \u201cimage_type_debug<\/em>\u201d file was not present in the public firmware,\u201d the Vedere Labs researchers wrote.<\/p>\n

    They analyzed the use of LuCI, a Lua-based framework for configuring devices via the web UI or other interfaces, by many TP-Link products with \u201ca history of vulnerabilities.\u201d<\/p>\n

    The researchers quickly found that the WireGuard VPN settings in the Web UI of the ER605v2 router exposed a private-key field that was not properly sanitized, allowing an authenticated user to inject arbitrary OS commands that the device executes with root privileges. This\u00a0vulnerability was also reported to TP-Link, which assigned it CVE-2025-7850.<\/p>\n

    Additionally, the researchers\u2019 analysis revealed that CVE-2025-7850 can be exploited without credentials in certain deployments, with potential exploit scenarios beyond initial local exploitation.<\/p>\n

    The patches for these two vulnerabilities have now been released by TP-Link.<\/p>\n

    Vedere Labs recommended users to apply TP-Link\u2019s firmware patches immediately and to add further security controls, including the following:<\/p>\n