CVE-2025-9292

HIGH

TP-Link Omada Cloud Controller - Permissive Cross-domain Security Policy with Untrusted Domains

Title source: llm
STIX 2.1

Description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

References (2)

Core 2
Core References
Various Sources vendor-advisory
https://www.tp-link.com/us/support/faq/4969/
Various Sources vendor-advisory
https://www.omadanetworks.com/us/support/faq/4969/

Scores

CVSS v3 7.5
EPSS 0.0034
EPSS Percentile 25.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-942
Status published
Products (15)
tp-link/aginet < 2.13.6
tp-link/deco < 3.9.163
tp-link/festa < 1.7.1
tp-link/kasa < 3.4.350
tp-link/kidshield < 1.1.21
tp-link/omada < 4.25.25
tp-link/omada_guard < 1.1.28
tp-link/tapo < 3.14.111
tp-link/tether < 4.12.27
tp-link/tp-partner < 2.0.1
... and 5 more
Published Feb 13, 2026
Tracked Since Feb 18, 2026