CVE-2025-9290
Authentication Bypass in Omada Controllers via Adoption Traffic Forgery
Publication date: 2026-01-23
Last updated on: 2026-03-16
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | omada_controller | to 6.0.0.24 (exc) |
| tp-link | omada_controller | to 6.0.0.100 (exc) |
| tp-link | oc200_firmware | to 1.37.9 (exc) |
| tp-link | oc220_firmware | to 1.1.3 (exc) |
| tp-link | oc300_firmware | to 1.31.9 (exc) |
| tp-link | oc400_firmware | to 1.9.9 (exc) |
| tp-link | oc200_firmware | to 2.22.9 (exc) |
| tp-link | oc220_firmware | * |
| tp-link | er605_firmware | to 2.3.2 (exc) |
| tp-link | er7206_firmware | to 2.2.2 (exc) |
| tp-link | er7406_firmware | to 1.2.2 (exc) |
| tp-link | er707-m2_firmware | to 1.3.1 (exc) |
| tp-link | er7412-m2_firmware | to 1.1.0 (exc) |
| tp-link | er8411_firmware | to 1.3.5 (exc) |
| tp-link | er706w_firmware | to 1.2.1 (exc) |
| tp-link | er706w-4g_firmware | to 1.2.1 (exc) |
| tp-link | er706wp-4g_firmware | to 1.1.0 (exc) |
| tp-link | er703wp-4g-outdoor_firmware | to 1.1.0 (exc) |
| tp-link | dr3220v-4g_firmware | to 1.1.0 (exc) |
| tp-link | dr3650v-4g_firmware | to 1.1.0 (exc) |
| tp-link | dr3650v_firmware | to 1.1.0 (exc) |
| tp-link | er701-5g-outdoor_firmware | to 1.0.0 (exc) |
| tp-link | er605w_firmware | to 2.0.2 (exc) |
| tp-link | er7212pc_firmware | to 2.2.1 (exc) |
| tp-link | fr365_firmware | to 1.1.10 (exc) |
| tp-link | g36w-4g_firmware | to 1.1.5 (exc) |
| tp-link | eap655-wall_firmware | to 1.6.2 (exc) |
| tp-link | eap660_hd_firmware | to 1.6.1 (exc) |
| tp-link | eap620_hd_firmware | to 1.6.1 (exc) |
| tp-link | eap610-outdoor_firmware | to 1.6.1 (exc) |
| tp-link | eap610_firmware | to 1.6.1 (exc) |
| tp-link | eap623-outdoor_hd_firmware | to 1.6.1 (exc) |
| tp-link | eap625-outdoor_hd_firmware | to 1.6.1 (exc) |
| tp-link | eap772_firmware | to 1.3.2 (exc) |
| tp-link | eap772-outdoor_firmware | to 1.3.2 (exc) |
| tp-link | eap770_firmware | to 1.3.2 (exc) |
| tp-link | eap723_firmware | to 1.3.2 (exc) |
| tp-link | eap773_firmware | to 1.1.2 (exc) |
| tp-link | eap783_firmware | to 1.1.2 (exc) |
| tp-link | eap772_firmware | to 1.1.2 (exc) |
| tp-link | eap787_firmware | to 1.1.2 (exc) |
| tp-link | eap720_firmware | to 1.1.2 (exc) |
| tp-link | eap723_firmware | to 1.1.2 (exc) |
| tp-link | eap725-wall_firmware | to 1.1.2 (exc) |
| tp-link | eap215_bridge_kit_firmware | to 1.1.4 (exc) |
| tp-link | eap211_bridge_kit_firmware | to 1.1.4 (exc) |
| tp-link | beam_bridge_5_ur_firmware | to 1.1.5 (exc) |
| tp-link | eap603gp-desktop_firmware | to 1.1.0 (exc) |
| tp-link | eap615gp-wall_firmware | to 1.1.0 (exc) |
| tp-link | eap625gp-wall_firmware | to 1.1.0 (exc) |
| tp-link | eap610gp-desktop_firmware | to 1.1.0 (exc) |
| tp-link | eap650gp-desktop_firmware | to 1.0.1 (exc) |
| tp-link | eap653_firmware | to 1.3.3 (exc) |
| tp-link | eap650-outdoor_firmware | to 1.3.3 (exc) |
| tp-link | eap230-wall_firmware | to 3.3.1 (exc) |
| tp-link | eap235-wall_firmware | to 3.3.1 (exc) |
| tp-link | eap603-outdoor_firmware | to 1.5.1 (exc) |
| tp-link | eap653_ur_firmware | to 1.4.2 (exc) |
| tp-link | eap650-desktop_firmware | to 1.1.0 (exc) |
| tp-link | eap615-wall_firmware | to 1.1.0 (exc) |
| tp-link | eap100-bridge_kit_firmware | to 1.0.3 (exc) |
| tp-link | er706w-4g_firmware | to 2.1.0 (exc) |
| tp-link | omada_controller | to 6.0.0.34 (exc) |
| tp-link | omada_controller | to 5.15.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-760 | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9290 is an authentication weakness in TP-Link Omada Controllers, Gateways, and Access Points caused by improper handling of random values during the controller-device adoption process. An attacker with advanced network positioning can intercept adoption traffic and use offline precomputation to forge valid authentication credentials. This allows the attacker to potentially expose sensitive information and compromise confidentiality. [1]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive information and compromise the confidentiality of your network communications. An attacker exploiting this weakness could gain unauthorized access by forging authentication credentials during device adoption, potentially leading to further security breaches within your network. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-9290, immediately update your TP-Link Omada Controllers, Gateways, and Access Points to the latest firmware versions provided by TP-Link. After upgrading, change all relevant passwords to reduce the risk of password leakage. Failure to apply these updates leaves the vulnerability exploitable. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can lead to exposure of sensitive information and compromise confidentiality, which may negatively impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data. However, specific effects on compliance are not detailed in the provided resources. [1]