is this a WAN side attack? or does the attacker have to be on the LAN side?

please clarify.

edit:

@Vincent-TP - can someone clarify this please? I need to know the true severity of this and if I have to trash any 605v1 I have in operation.

edit2:

from online sources, it appears to be a lan-side attack. (don't make your web admin accessible from wan, who does that?)

So I am not going to panic into replacing a router at a small business with no public wifi. 

CORRECT ME IF I AM WRONG.

CVE-2025-6541 : TP-Link Omada Gateway Remote Command Injection Vulnerability Analysis - CYFIRMA

How Does CVE-2025-6541 Work?

• The Omada gateway’s web admin interface lets admins set device parameters (like DNS server addresses, diagnostics, etc.).
• Some of these web inputs are insecurely managed: the values are passed directly to system commands without sanitizing special characters.
• An authenticated attacker (logged in as admin or similar) enters input containing a command separator (such as &, or |), followed by a malicious command, turning a safe command into something unsafe.