Bypassable Cross-Origin Restrictions in TP-Link Omada Cloud Controller
CVE-2025-9292

2LOW

Key Information:

Vendor: Tp-link Systems Inc.
Status: Omada Cloud Controller
Vendor: CVE Published:; 13 February 2026

🔔 Create Tp-link Systems Inc. Vulnerability Alert

What is CVE-2025-9292?

A misconfigured web security setting in the TP-Link Omada Cloud Controller could allow adversaries to bypass cross-origin restrictions imposed by modern web browsers. This vulnerability necessitates the existence of a client-side injection vulnerability and requires user access to the affected web interface. If exploited, this could lead to unauthorized access and disclosure of sensitive user information. TP-Link has addressed this issue in subsequent updates, which are deployed automatically with no action needed from users.

Affected Version(s)

Omada Cloud Controller Omada 0

References

https://www.tp-link.com/us/support/faq/4969/

vendor-advisory

https://www.omadanetworks.com/us/support/faq/4969/

vendor-advisory

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2026
Vulnerability Reserved
Aug 20, 2025

Credit

Francesco La Spina, Stanislav Dashevskyi from Forescout Technologies

CVE-2025-9292 Data

JSON