Authentication Weakness in Omada Controllers and Access Points
CVE-2025-9290

6MEDIUM

Key Information:

Vendor

Tp-link Systems Inc.

Status
Omada Software Controller
Omada Cloud Controller
Omada Hardware Controller (oc200, Oc300, Oc400)
Omada Hardware Controller Oc220
Vendor
CVE Published:
22 January 2026

What is CVE-2025-9290?

An authentication vulnerability has been detected in Omada Controllers, Gateways, and Access Points, caused by the improper handling of random values during controller-device adoption. This flaw may allow attackers, positioned strategically within the network, to intercept adoption traffic and perform offline precomputation to forge valid authentication credentials. As a result, sensitive information could be compromised, jeopardizing the overall confidentiality of the network.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Omada Access Point (EAP215 Bridge KIT 3.0, EAP211 Bridge KIT 3.0) 0 < 1.1.4 Build 20251112 Rel.34769

Omada Access Point (EAP230-Wall v1.0, EAP235-Wall v1.0) 0 < 3.3.1 Build 20251203 Rel.58135

Omada Access Point (EAP603-Outdoor v1.0, EAP615-Wall v1.0/v1.20) 0 < 1.5.1

References

https://support.omadanetworks.com/us/download/
patch
https://support.omadanetworks.com/en/download/
patch
https://support.omadanetworks.com/us/document/114950/
vendor-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Dashevskyi and Francesco La Spina of Forescout Technologies
JSON
.