Password Bypass Vulnerability in Omada Controllers by Omada Networks
CVE-2025-9521

2.1LOW

Key Information:

Vendor: Tp-link Systems Inc.
Status: Omada Controller
Vendor: CVE Published:; 26 January 2026

🔔 Create Tp-link Systems Inc. Vulnerability Alert

What is CVE-2025-9521?

A vulnerability exists in Omada Controllers that allows attackers with a valid session token to bypass the password confirmation step. This flaw enables unauthorized changes to user passwords without the required verification process. As a result, the security of user accounts can be significantly compromised, potentially leading to unauthorized access and manipulation of sensitive information.

Affected Version(s)

Omada Controller 0 < 6.0

References

https://support.omadanetworks.com/us/document/115200/

vendor-advisory

https://support.omadanetworks.com/us/download/software/om...

patch

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2026
Vulnerability Reserved
Aug 27, 2025

Credit

Eduardo Bido on behalf of Thoropass

CVE-2025-9521 Data

JSON