- CVE-2025-7851 stems from residual debugging code left in patched firmware
- CVE-2025-7850 enables command injection through the WireGuard VPN interface
- Exploitation of one vulnerability made the other easier to successfully trigger
Two recently disclosed flaws in TP-Link’s Omada and Festa VPN routers have revealed deep-seated weaknesses in the company’s firmware security.
The vulnerabilities, tracked as CVE-2025-7850 and CVE-2025-7851, were identified by researchers from Forescout’s Vedere Labs.
These vulnerabilities were described as part of a recurring pattern of incomplete patching and residual debug code.
Root access revived through residual code
A previously known issue, CVE-2024-21827, allowed attackers to exploit a “residual debug code” feature to gain root access on TP-Link routers.
Although TP-Link fixed this vulnerability, the update left remnants of the same debugging mechanism available under specific conditions.
If a certain system file, image_type_debug, was created on the device, the old root login behavior reappeared.
This discovery formed the basis of the new CVE-2025-7851 vulnerability.
The investigation then revealed another flaw, CVE-2025-7850, affecting the router’s WireGuard VPN configuration interface.
Improper sanitization of a private key field allowed an authenticated user to inject operating system commands resulting in full remote code execution as the root user.
In practice, exploiting one vulnerability made the other easier to trigger, creating a combined route to complete device control.
This reveals how routine fixes can sometimes introduce new attack paths rather than eliminate existing ones.
The research team warns that in some configurations, CVE-2025-7850 can be exploited remotely without authentication.
This can potentially make a VPN setup an unexpected entry point for attackers.
By using root access, the researchers were able to conduct a more comprehensive examination of TP-Link’s firmware.
They discovered 15 additional bugs across other TP-Link device families that are now undergoing coordinated disclosure and are expected to be fixed in early 2026.
Forescout recommends that users apply firmware updates immediately when TP-Link releases them, disable unnecessary remote access, and monitor network logs for signs of exploitation.
While the work provides valuable insight into router vulnerability research, it also reveals a troubling pattern.
Similar “rooting” vulnerabilities continue to pop up across multiple network brands, exposing systemic coding flaws that quick patches rarely fix.
Until vendors thoroughly address the root causes, even patched devices can hide old bugs under new firmware, leaving a secure router vulnerable to exploitation.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
