CVE-2025-9292

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.omadanetworks.com/us/support/faq/4969/	Vendor Advisory
https://www.tp-link.com/us/support/faq/4969/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tp-link:aginet::::::::
	cpe:2.3:a:tp-link:deco::::::::
	cpe:2.3:a:tp-link:festa::::::::
	cpe:2.3:a:tp-link:kasa::::::::
	cpe:2.3:a:tp-link:kidshield::::::::
	cpe:2.3:a:tp-link:omada::::::::
	cpe:2.3:a:tp-link:omada_guard::::::::
	cpe:2.3:a:tp-link:tapo::::::::
	cpe:2.3:a:tp-link:tether::::::::
	cpe:2.3:a:tp-link:tp-partner::::::::
	cpe:2.3:a:tp-link:tpcamera::::::::
	cpe:2.3:a:tp-link:vigi::::::::
	cpe:2.3:a:tp-link:wi-fi_navi::::::::
	cpe:2.3:a:tp-link:wifi_toolkit::::::::

History

01 Apr 2026, 20:52

Type	Values Removed	Values Added
References	~~() https://www.omadanetworks.com/us/support/faq/4969/ -~~	() https://www.omadanetworks.com/us/support/faq/4969/ - Vendor Advisory
References	~~() https://www.tp-link.com/us/support/faq/4969/ -~~	() https://www.tp-link.com/us/support/faq/4969/ - Vendor Advisory
Summary		(es) Una configuración de seguridad web permisiva puede permitir que las restricciones de origen cruzado impuestas por los navegadores modernos sean eludidas bajo circunstancias específicas. La explotación requiere la presencia de una vulnerabilidad de inyección del lado del cliente existente y acceso de usuario a la interfaz web afectada. La explotación exitosa podría permitir la divulgación no autorizada de información sensible. Corregido en versiones actualizadas del servicio Omada Cloud Controller desplegadas automáticamente por TP?Link. No se requiere ninguna acción del usuario.
CPE		cpe:2.3:a:tp-link:wi-fi_navi:::::::: cpe:2.3:a:tp-link:omada_guard:::::::: cpe:2.3:a:tp-link:festa:::::::: cpe:2.3:a:tp-link:tp-partner:::::::: cpe:2.3:a:tp-link:tapo:::::::: cpe:2.3:a:tp-link:tether:::::::: cpe:2.3:a:tp-link:omada:::::::: cpe:2.3:a:tp-link:wifi_toolkit:::::::: cpe:2.3:a:tp-link:kidshield:::::::: cpe:2.3:a:tp-link:aginet:::::::: cpe:2.3:a:tp-link:kasa:::::::: cpe:2.3:a:tp-link:tpcamera:::::::: cpe:2.3:a:tp-link:deco:::::::: cpe:2.3:a:tp-link:vigi::::::::
First Time		Tp-link tether Tp-link Tp-link kasa Tp-link festa Tp-link omada Guard Tp-link wifi Toolkit Tp-link deco Tp-link kidshield Tp-link tapo Tp-link omada Tp-link aginet Tp-link tp-partner Tp-link wi-fi Navi Tp-link vigi Tp-link tpcamera
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

13 Feb 2026, 23:16

Type	Values Removed	Values Added
References		() https://www.omadanetworks.com/us/support/faq/4969/ -

13 Feb 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-13 02:16

Updated : 2026-04-01 20:52

NVD link : CVE-2025-9292

Mitre link : CVE-2025-9292

CVE.ORG link : CVE-2025-9292

JSON object : View

Products Affected

tp-link

tpcamera
wifi_toolkit
tether
vigi
festa
wi-fi_navi
omada
omada_guard
kasa
deco
kidshield
aginet
tp-partner
tapo

CWE

CWE-942

Permissive Cross-domain Policy with Untrusted Domains

7.5 /10