CVE-2025-9292

EUVD-2025-207523

13.02.2026, 02:16

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances.  Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface.  Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
tp-link	aginet	𝑥 < 2.13.6
tp-link	deco	𝑥 < 3.9.163
tp-link	festa	𝑥 < 1.7.1
tp-link	kasa	𝑥 < 3.4.350
tp-link	kidshield	𝑥 < 1.1.21
tp-link	omada	𝑥 < 4.25.25
tp-link	omada_guard	𝑥 < 1.1.28
tp-link	tapo	𝑥 < 3.14.111
tp-link	tether	𝑥 < 4.12.27
tp-link	tp-partner	𝑥 < 2.0.1
tp-link	tpcamera	𝑥 < 3.2.17
tp-link	vigi	𝑥 < 2.7.70
tp-link	wi-fi_navi	𝑥 < 1.5.5
tp-link	wifi_toolkit	𝑥 < 1.4.28

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
The software uses a cross-domain policy file that includes domains that should not be trusted.

References

https://www.omadanetworks.com/us/support/faq/4969/

https://www.tp-link.com/us/support/faq/4969/