CVE-2025-9292
Cross-Origin Bypass in Omada Cloud Controller Risks Data Exposure
Publication date: 2026-02-13
Last updated on: 2026-04-01
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | aginet | to 2.13.6 (exc) |
| tp-link | deco | to 3.9.163 (exc) |
| tp-link | festa | to 1.7.1 (exc) |
| tp-link | kasa | to 3.4.350 (exc) |
| tp-link | kidshield | to 1.1.21 (exc) |
| tp-link | omada | to 4.25.25 (exc) |
| tp-link | omada_guard | to 1.1.28 (exc) |
| tp-link | tapo | to 3.14.111 (exc) |
| tp-link | tether | to 4.12.27 (exc) |
| tp-link | tp-partner | to 2.0.1 (exc) |
| tp-link | tpcamera | to 3.2.17 (exc) |
| tp-link | vigi | to 2.7.70 (exc) |
| tp-link | wi-fi_navi | to 1.5.5 (exc) |
| tp-link | wifi_toolkit | to 1.4.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a permissive web security configuration that may allow cross-origin restrictions, which are normally enforced by modern browsers, to be bypassed under certain conditions.
Exploitation requires an existing client-side injection vulnerability and user access to the affected web interface.
If successfully exploited, it could lead to unauthorized disclosure of sensitive information.
The issue has been fixed in updated versions of the Omada Cloud Controller service, which are deployed automatically by TP-Link, requiring no user action.
How can this vulnerability impact me? :
This vulnerability can impact you by potentially allowing unauthorized disclosure of sensitive information through bypassing browser-enforced cross-origin restrictions.
However, exploitation requires both an existing client-side injection vulnerability and user access to the affected web interface, which may limit the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in updated Omada Cloud Controller service versions that are deployed automatically by TP-Link.
No user action is required to mitigate this vulnerability.