CVE-2025-9520
IDOR Vulnerability in Omada Controller Enables Owner Account Hijack
Publication date: 2026-01-26
Last updated on: 2026-03-11
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | omada_controller | to 6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9520 is an Insecure Direct Object Reference (IDOR) vulnerability in Omada Controllers that allows an attacker who already has Administrator permissions to manipulate requests and potentially hijack the Owner account. This means the attacker can take full control over the Owner account, gaining complete administrative control over the Omada Controller and its connected services. The vulnerability affects versions prior to 6.0, and updating to version 6.0 or later fixes the issue. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a full takeover of the Owner account in Omada Controllers, granting an attacker complete administrative control over the controller and all connected services. This could result in unauthorized changes, disruption of network management, and potential compromise of network security. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your Omada Controller to version 6.0 or later, as versions prior to 6.0 are affected by this IDOR vulnerability. [1, 2]