New data from Forescout Technologies reveals two critical vulnerabilities in TP-Link Omada and Festa VPN routers, which are deployed across connected devices ranging from solar inverters to programmable logic controllers. CVE-2025-7850 allows OS command injection via WireGuard VPN settings, while CVE-2025-7851 enables unauthorized root access through residual debug code. A partial fix for CVE-2024-21827 left debug functionality exposed, opening new attack vectors. CVE-2025-7850 can be exploited remotely in certain setups without credentials, as protocol analysis indicates scenarios beyond the initial local exploitation.

Additional critical flaws were identified across TP-Link devices, with a full disclosure expected after patches are released in the first quarter of next year. Using the root foothold, Forescout identified multiple additional issues affecting other TP-Link models; those issues are in coordinated disclosure, after which it will publish full technical details.

The report identifies residual issues that could lead to further vulnerabilities and emphasizes the need for organizations to apply vendor firmware updates as soon as they become available. Recommendations include deploying perimeter controls and continuous monitoring to mitigate risks.