CVE-2025-9292

Awaiting Analysis Awaiting Analysis - Queue

Cross-Origin Bypass in Omada Cloud Controller Risks Data Exposure

Publication date: 2026-02-13

Last updated on: 2026-04-01

Assigner: TPLink

Description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-13

Last Modified

2026-04-01

Generated

2026-06-16

AI Q&A

2026-02-13

EPSS Evaluated

2026-06-14

NVD

CVE-2025-9292

Affected Vendors & Products

Vendor	Product	Version / Range
tp-link	aginet	to 2.13.6 (exc)
tp-link	deco	to 3.9.163 (exc)
tp-link	festa	to 1.7.1 (exc)
tp-link	kasa	to 3.4.350 (exc)
tp-link	kidshield	to 1.1.21 (exc)
tp-link	omada	to 4.25.25 (exc)
tp-link	omada_guard	to 1.1.28 (exc)
tp-link	tapo	to 3.14.111 (exc)
tp-link	tether	to 4.12.27 (exc)
tp-link	tp-partner	to 2.0.1 (exc)
tp-link	tpcamera	to 3.2.17 (exc)
tp-link	vigi	to 2.7.70 (exc)
tp-link	wi-fi_navi	to 1.5.5 (exc)
tp-link	wifi_toolkit	to 1.4.28 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-942	The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Attack-Flow Graph

Executive Summary

This vulnerability involves a permissive web security configuration that may allow cross-origin restrictions, which are normally enforced by modern browsers, to be bypassed under certain conditions.

Exploitation requires an existing client-side injection vulnerability and user access to the affected web interface.

If successfully exploited, it could lead to unauthorized disclosure of sensitive information.

The issue has been fixed in updated versions of the Omada Cloud Controller service, which are deployed automatically by TP-Link, requiring no user action.

Impact Analysis

This vulnerability can impact you by potentially allowing unauthorized disclosure of sensitive information through bypassing browser-enforced cross-origin restrictions.

However, exploitation requires both an existing client-side injection vulnerability and user access to the affected web interface, which may limit the risk.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in updated Omada Cloud Controller service versions that are deployed automatically by TP-Link.

No user action is required to mitigate this vulnerability.

Hi! I’m here to help you understand CVE-2025-9292. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-9292

Cross-Origin Bypass in Omada Cloud Controller Risks Data Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart