Critical flaws in TP-Link Omada and Festa VPN routers could allow attackers to take control of a device, according to a report released Thursday from Forescout Research - Vedere Labs. 

One vulnerability, tracked as CVE-2025-7850, could enable OS command injection through improper sanitation of user input, according to the researchers.The flaw, which has a severity score of 9.3, in some cases can be exploited without requiring credentials to the device.

A second vulnerability, tracked as CVE-2025-7851, allows root access via residual debug code, and has a severity score of 8.7. The flaw exposes hidden functionality that allows for root login via SSH, Forescout researchers told Cybersecurity Dive.

TP-Link devices have been the target of exploitation activity in the past, including large botnets such as Quad7, says Daniel dos Santos, head of research at Forescout Research.

Those attacks involved China-linked threat groups targeting Microsoft 365 accounts with password-spray attacks. 

The researchers said they are not aware of any exploitation involving the newly found vulnerabilities, but given that one is rated as critical and the other as high-severity, users should immediately apply new firmware updates issued by TP-Link. 

TP-Link also urged users to apply upgrades immediately and change passwords once the upgrades are completed.

During the Forescout’s analysis, the researchers also uncovered additional vulnerabilities, and are coordinating with TP-Labs to address those issues as well. Some of the flaws are critical and allow for remote exploitation. Forescout did not disclose any details about those additional vulnerabilities but said it expects TP-Labs to patch them by the first quarter of 2026.