CVE-2025-9289

Summary

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.Omada Software Controller0 < 6.0.0.24affected
TP-Link Systems Inc.Omada OC200, OC220, OC300, OC4000 < 6.0.0.34affected
TP-Link Systems Inc.Omada cloud controller0 < 6.0.0.100affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References