Skip to main content

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 15:03 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12049
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 16:53 nvd
HIGH 7.7

DescriptionCVE.org

The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service.

AnalysisAI

Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).

Technical ContextAI

The vulnerability affects Omada switches' web management interface, where improper input validation (CWE-20) leads to out-of-bounds memory access during request processing. This classic web application security flaw occurs when external inputs are not properly sanitized before being used in memory operations, potentially allowing attackers to write beyond allocated buffer boundaries. The affected products appear to be TP-Link Omada series managed switches, though specific CPE identifiers and exact model numbers are not provided in the available data.

RemediationAI

Primary remediation requires applying vendor-supplied firmware updates once available, though no specific patch version or vendor advisory URL is currently referenced. As immediate mitigation, restrict network access to the web management interface using ACLs or firewall rules to allow only trusted administrative IP addresses. Consider disabling the web interface entirely if not required and use alternative management methods such as CLI over SSH where possible.

Share

CVE-2026-1668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy