CVE-2026-1668

CRITICAL

TP-Link Omada Switches - Web Interface Memory Corruption Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-1668. PoCs published by tangrs.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-1668, targeting a stack-based buffer overflow in a MIPS-based firmware for TP-Link switches. The exploit includes a custom payload that binds a shell to port 8888, demonstrating remote code execution.

Description

The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service.

Exploits (1)

nomisec WORKING POC

by tangrs · poc

https://github.com/tangrs/cve-2026-1668-poc

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-1668, targeting a stack-based buffer overflow in a MIPS-based firmware for TP-Link switches. The exploit includes a custom payload that binds a shell to port 8888, demonstrating remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TP-Link SG/SL series switches (firmware versions listed in README)

No auth needed

Prerequisites: MIPS Linux GCC toolchain · fresh boot of the target device · network access to the device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources patch

https://support.omadanetworks.com/us/product/

Various Sources patch

https://support.omadanetworks.com/au/download/firmware/

Various Sources patch

https://support.omadanetworks.com/en/download/firmware/

Various Sources vendor-advisory

https://support.omadanetworks.com/us/document/118794/

Scores

CVSS v3 9.8

EPSS 0.0014

EPSS Percentile 34.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-787

Status published

Products (50)

tp-link/omada_sg2005p-pd_firmware 1.0.0 - 1.0.19

tp-link/omada_sg2008_firmware 4.20.0 - 4.20.17

tp-link/omada_sg2008p_firmware 3.20.0 - 3.20.17

tp-link/omada_sg2016p_firmware 1.20.0 - 1.20.17

tp-link/omada_sg2210mp_firmware 4.20.0 - 4.20.18

tp-link/omada_sg2210p_firmware 5.20.0 - 5.20.18

tp-link/omada_sg2210xmp-m2_firmware 1.0.0 - 1.0.19

tp-link/omada_sg2218_firmware 1.20.0 - 1.20.17

tp-link/omada_sg2218p_firmware 1.20.0 - 1.20.17

tp-link/omada_sg2428lp_firmware 1.0.0 - 1.0.13

... and 40 more

Published Mar 13, 2026

Tracked Since Mar 14, 2026