TP-Link has issued a warning about two critical command injection vulnerabilities in its Omada gateway devices, which could allow attackers to execute arbitrary OS commands. One vulnerability, CVE-2025-6542, has a critical severity rating of 9.3 and can be exploited remotely without authentication, while the other, CVE-2025-6541, requires user authentication. Users are urged to apply firmware updates to mitigate these risks along with two additional severe flaws affecting the same devices.