The Omada switch web interface lacks proper input validation, causing out-of-bounds memory accesses when handling crafted requests. An unauthenticated attacker with network reach to the management interface can exploit this to corrupt memory, trigger service instability, leak information, or execute arbitrary commands. The vulnerability is classified as CWE‑20 (Improper Input Validation) and CWE‑787 (Out‑of‑Bounds Write).

TP‑Link Systems Omada switch models are affected, including SG2005P‑PD, SG2008, SG2008P, SG2016P, SG2210MP, SG2210P, SG2210XMP‑M2, SG2218, SG2218P, SG2428LP, SG2428P, SG2452LP, SG3210, SG3210X‑M2, SG3210XHP‑M2, SG3218XP‑M2, SG3428, SG3428MP, SG3428X, SG3428X‑M2, SG3428XF, SG3428XMP, SG3428XMPP, SG3428XPP‑M2, SG3452, SG3452P, SG3452X, SG3452XP, SL2428P, SX3008F, SX3016F, SX3032F, SX3206HPP, SX3832, SX3832MPP, TL‑SG2428P, TL‑SG3428MP, and TL‑SG3452P. Firmware versions containing the suffix ’x’ (e.g., 1.x, 4.x) are included in the affected set.

The CVSS score of 7.7 indicates moderate-to-high severity, while an EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access to the web interface and does not require authentication, allowing an attacker to send specially crafted HTTP requests that may lead to memory corruption or remote code execution. Despite the low exploitation likelihood, the potential impact is significant: compromised switches could disrupt network operations or provide a foothold for further attacks. Prompt mitigation is therefore recommended.