- CVE-2025-7851 comes from residual debug code left in patched firmware
- CVE-2025-7850 allows command injection via the WireGuard VPN interface
- Exploiting one vulnerability made the other easier to successfully trigger
Two recently revealed flaws in TP-Link’s Omada and Festa VPN routers have revealed deep weaknesses in the company’s firmware security.
The vulnerabilities, identified as CVE-2025-7850 and CVE-2025-7851, were identified by researchers at Forescout’s Vedere Labs.
These vulnerabilities have been described as part of a recurring pattern of incomplete patches and residual debug code.
Root access restored with remaining code
A previously known issue, CVE-2024-21827, allowed attackers to exploit a “leftover debug code” feature to gain root access on TP-Link routers.
Although TP-Link fixed this vulnerability, the update left remnants of the same debugging mechanism accessible under specific conditions.
If a certain system file, image_type_debug, was created on the device, the old root login behavior reappeared.
This discovery formed the basis of the new CVE-2025-7851 vulnerability.
The investigation then revealed a second flaw, CVE-2025-7850, affecting the routers’ WireGuard VPN configuration interface.
Improper sanitization of a private key field allowed an authenticated user to inject operating system commands, resulting in complete remote code execution as root.
In practice, exploiting one vulnerability made the other easier to trigger, creating a combined pathway to complete device control.
This reveals how routine patches can sometimes introduce new avenues of attack rather than eliminating existing ones.
The research team warns that CVE-2025-7850 could, in certain configurations, be exploited remotely without authentication.
This can potentially turn a VPN setup into an unexpected entry point for attackers.
By using root access, researchers were able to conduct a more comprehensive examination of TP-Link’s firmware.
They discovered 15 additional flaws in other TP-Link device families, which are now subject to coordinated disclosure and are expected to be fixed by early 2026.
Forescout recommends users to apply firmware updates immediately once TP-Link releases them, disable unnecessary remote access, and monitor network logs for signs of exploitation.
While this work provides valuable insights into router vulnerability research, it also reveals a troubling trend.
Similar “rooting” weaknesses continue to surface across multiple network brands, revealing systemic coding flaws that quick fixes rarely correct.
Until vendors thoroughly address the root causes, even patched devices can hide old flaws under new firmware, leaving a secure router vulnerable to exploitation.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
