CVE-2026-1668

high-risk

Published 2026-03-13

The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service.

Do I need to act?

0.37% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Omada Sg2005P-Pd Firmware

Omada Sg2008 Firmware

Omada Sg2008P Firmware

Omada Sg2016P Firmware

Omada Sg2210Mp Firmware

Omada Sg2210P Firmware

Omada Sg2210Xmp-M2 Firmware

Omada Sg2218 Firmware

Omada Sg2218P Firmware

Omada Sg2428Lp Firmware

Omada Sg2428P Firmware

Omada Sg2452Lp Firmware

Omada Sg3210 Firmware

Omada Sg3210Xhp-M2 Firmware

Omada Sg3210X-M2 Firmware

Omada Sg3218Xp-M2 Firmware

Omada Sg3428 Firmware

Omada Sg3428Mp Firmware

Omada Sg3428X Firmware

Omada Sg3428Xf Firmware

Affected Vendors

Tp-Link

References (4)

Product https://support.omadanetworks.com/au/download/firmware/

Product https://support.omadanetworks.com/en/download/firmware/

Vendor Advisory https://support.omadanetworks.com/us/document/118794/

Product https://support.omadanetworks.com/us/product/

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 24/34 · High