- CVE-2025-7851 stems from residual debug code left in patched firmware
- CVE-2025-7850 enables command injection through the WireGuard VPN interface
- Exploiting one vulnerability made the other easier to trigger successfully
Two newly disclosed flaws in TP-Link’s Omada and Festa VPN routers have exposed deep-seated weaknesses in the company’s firmware security.
The vulnerabilities, tracked as CVE-2025-7850 and CVE-2025-7851, were identified by researchers from Forescout’s Vedere Labs.
These vulnerabilities were described as part of a recurring pattern of incomplete patching and residual debug code.
Root access revived through leftover code
A previously known issue, CVE-2024-21827, allowed attackers to exploit a “leftover debug code” function to gain root access on TP-Link routers.
Although TP-Link patched this vulnerability, the update left remnants of the same debug mechanism accessible under specific conditions.
If a certain system file, image_type_debug, was created on the device, the old root login behavior reappeared.
This discovery formed the basis for the new CVE-2025-7851 vulnerability.
The investigation then uncovered a second flaw, CVE-2025-7850, affecting the routers’ WireGuard VPN configuration interface.
Improper sanitization of a private key field enabled an authenticated user to inject operating system commands, resulting in full remote code execution as the root user.
In practice, exploiting one vulnerability made the other easier to trigger, creating a combined route to complete device control.
This reveals how routine fixes can sometimes introduce fresh attack paths rather than eliminate existing ones.
The research team warns that CVE-2025-7850 could, in some configurations, be exploited remotely without authentication.
This can potentially turn a VPN setup into an unexpected entry point for attackers.
By using root access, the researchers were able to conduct a more comprehensive examination of TP-Link’s firmware.
They discovered 15 additional flaws across other TP-Link device families, which are now under coordinated disclosure and expected to be patched by early 2026.
Forescout recommends that users apply firmware updates immediately once TP-Link releases them, disable unnecessary remote access, and monitor network logs for signs of exploitation.
Although the work provides valuable insight into router vulnerability research, it also reveals a troubling pattern.
Similar “rooting” weaknesses continue to surface across multiple networking brands, revealing systemic coding faults that quick patches rarely address.
Until vendors address root causes thoroughly, even patched devices may hide old flaws beneath new firmware, leaving a secure router vulnerable to exploitation.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
About the Author
