- CVE-2025-7851 comes from residual debug code left in patched firmware
- CVE-2025-7850 allows command injection through the WireGuard VPN interface
- Exploiting one vulnerability made the other easier to trigger successfully
Two recently revealed flaws in TP-Link’s Omada and Festa VPN routers have exposed deep-seated weaknesses in the company’s firmware security.
The vulnerabilities, tracked as CVE-2025-7850 and CVE-2025-7851, were identified by researchers at Forescout’s Vedere Labs.
These vulnerabilities were described as part of a recurring pattern of incomplete patches and residual debugging code.
Root access revived thanks to leftover code
A previously known issue, CVE-2024-21827, allowed attackers to exploit a “leftover debug code” feature to gain root access on TP-Link routers.
Although TP-Link patched this vulnerability, the update left remnants of the same debugging mechanism accessible under specific conditions.
If a certain system file, image_type_debug, was created on the device, the old root login behavior would reappear.
This discovery formed the basis of the new vulnerability CVE-2025-7851.
The investigation then discovered a second flaw, CVE-2025-7850, affecting the routers’ WireGuard VPN configuration interface.
Improper sanitization of a private key field allowed an authenticated user to inject operating system commands, resulting in complete remote code execution as the root user.
In practice, exploiting one vulnerability made the other easier to activate, creating a combined path to complete control of the device.
This reveals how routine fixes can sometimes introduce new attack paths rather than eliminating existing ones.
The research team warns that CVE-2025-7850 could, in some configurations, be exploited remotely without authentication.
This can potentially turn a VPN setup into an unexpected entry point for attackers.
By using root access, researchers were able to conduct a more thorough examination of the TP-Link firmware.
They discovered 15 additional flaws in other TP-Link device families, which are now under coordinated disclosure and are expected to be fixed in early 2026.
Forescout recommends that users apply firmware updates immediately once TP-Link releases them, disable unnecessary remote access, and monitor network logs for signs of exploitation.
Although the work provides valuable insights into router vulnerability research, it also reveals a worrying pattern.
Similar “root” weaknesses continue to appear across multiple network brands, revealing systemic coding flaws that quick patches rarely fix.
Until vendors thoroughly address the root causes, even patched devices can hide old flaws under new firmware, leaving a secure router vulnerable to exploitation.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
