CVE-2025-9290 [Medium] | Information Disclosure in Omada Controller

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-23	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-23

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.0	4.0	MEDIUM	`CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` Click to expand Attack vector (AV:A) Attacker has to be on an adjacent/local network segment. Attack complexity (AC:H) Exploitation depends on constrained or hard-to-reproduce conditions. Attack requirements (AT:N) No additional preconditions are required beyond normal reachability. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:H) High confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:N) No integrity impact on the vulnerable system. Vulnerable system availability impact (VA:N) No availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems. Exploit maturity (threat) (E:X) Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked). Confidentiality requirement (CR:X) Not defined: insufficient information; scoring treats this like High (worst case). Integrity requirement (IR:X) Not defined: insufficient information; scoring treats this like High (worst case). Availability requirement (AR:X) Not defined: insufficient information; scoring treats this like High (worst case). Modified attack vector (MAV:X) Not defined: scoring uses the Base Attack Vector (AV). Modified attack complexity (MAC:X) Not defined: scoring uses the Base Attack Complexity (AC). Modified attack requirements (MAT:X) Not defined: scoring uses the Base Attack Requirements (AT). Modified privileges required (MPR:X) Not defined: scoring uses the Base Privileges Required (PR). Modified user interaction (MUI:X) Not defined: scoring uses the Base User Interaction (UI). Modified vulnerable system confidentiality impact (MVC:X) Not defined: scoring uses the Base VC metric. Modified vulnerable system integrity impact (MVI:X) Not defined: scoring uses the Base VI metric. Modified vulnerable system availability impact (MVA:X) Not defined: scoring uses the Base VA metric. Modified subsequent system confidentiality impact (MSC:X) Not defined: scoring uses the Base SC metric. Modified subsequent system integrity impact (MSI:X) Not defined: scoring uses the Base SI metric. Modified subsequent system availability impact (MSA:X) Not defined: scoring uses the Base SA metric. Safety (supplemental) (S:X) Not evaluated. Automatable (supplemental) (AU:X) Not evaluated. Recovery (supplemental) (R:X) Not evaluated. Value density (supplemental) (V:X) Not evaluated. Vulnerability response effort (supplemental) (RE:X) Not evaluated. Provider urgency (supplemental) (U:X) Not evaluated.	—	—	f23511db-6c3e-4e32-a477-6aa17d310630
5.9	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	2.2	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.0

4.0

MEDIUM

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Click to expand

Attack vector (AV:A): Attacker has to be on an adjacent/local network segment.
Attack complexity (AC:H): Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:N): No additional preconditions are required beyond normal reachability.
Privileges required (PR:N): No privileges are required.
User interaction (UI:N): No user interaction is required.
Vulnerable system confidentiality impact (VC:H): High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N): No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N): No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N): No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N): No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N): No availability impact on subsequent systems.
Exploit maturity (threat) (E:X): Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X): Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X): Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X): Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X): Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X): Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X): Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X): Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X): Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X): Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X): Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X): Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X): Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:X): Not evaluated.
Automatable (supplemental) (AU:X): Not evaluated.
Recovery (supplemental) (R:X): Not evaluated.
Value density (supplemental) (V:X): Not evaluated.
Vulnerability response effort (supplemental) (RE:X): Not evaluated.
Provider urgency (supplemental) (U:X): Not evaluated.

—

f23511db-6c3e-4e32-a477-6aa17d310630

5.9

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

2.2

3.6

[email protected]

Affected software / configurations for CVE-2025-9290

Vendor	Product	Version	Raw CPE
tp-link	omada_controller	< 6.0.0.24	cpe:2.3:a:tp-link:omada_controller:::::-:::*
tp-link	omada_controller	< 6.0.0.100	cpe:2.3:a:tp-link:omada_controller:::::cloud:::*
tp-link	oc200_firmware	< 1.37.9	cpe:2.3:o:tp-link:oc200_firmware::::::::
tp-link	oc220_firmware	< 1.1.3	cpe:2.3:o:tp-link:oc220_firmware::::::::
tp-link	oc300_firmware	< 1.31.9	cpe:2.3:o:tp-link:oc300_firmware::::::::
tp-link	oc400_firmware	< 1.9.9	cpe:2.3:o:tp-link:oc400_firmware::::::::
tp-link	oc200_firmware	< 2.22.9	cpe:2.3:o:tp-link:oc200_firmware::::::::
tp-link	oc220_firmware	—	cpe:2.3:o:tp-link:oc220_firmware:-:::::::*
tp-link	er605_firmware	< 2.3.2	cpe:2.3:o:tp-link:er605_firmware::::::::
tp-link	er7206_firmware	< 2.2.2	cpe:2.3:o:tp-link:er7206_firmware::::::::
tp-link	er7406_firmware	< 1.2.2	cpe:2.3:o:tp-link:er7406_firmware::::::::
tp-link	er707-m2_firmware	< 1.3.1	cpe:2.3:o:tp-link:er707-m2_firmware::::::::
tp-link	er7412-m2_firmware	< 1.1.0	cpe:2.3:o:tp-link:er7412-m2_firmware::::::::
tp-link	er8411_firmware	< 1.3.5	cpe:2.3:o:tp-link:er8411_firmware::::::::
tp-link	er706w_firmware	< 1.2.1	cpe:2.3:o:tp-link:er706w_firmware::::::::
tp-link	er706w-4g_firmware	< 1.2.1	cpe:2.3:o:tp-link:er706w-4g_firmware::::::::
tp-link	er706wp-4g_firmware	< 1.1.0	cpe:2.3:o:tp-link:er706wp-4g_firmware::::::::
tp-link	er703wp-4g-outdoor_firmware	< 1.1.0	cpe:2.3:o:tp-link:er703wp-4g-outdoor_firmware::::::::
tp-link	dr3220v-4g_firmware	< 1.1.0	cpe:2.3:o:tp-link:dr3220v-4g_firmware::::::::
tp-link	dr3650v-4g_firmware	< 1.1.0	cpe:2.3:o:tp-link:dr3650v-4g_firmware::::::::
tp-link	dr3650v_firmware	< 1.1.0	cpe:2.3:o:tp-link:dr3650v_firmware::::::::
tp-link	er701-5g-outdoor_firmware	< 1.0.0	cpe:2.3:o:tp-link:er701-5g-outdoor_firmware::::::::
tp-link	er605w_firmware	< 2.0.2	cpe:2.3:o:tp-link:er605w_firmware::::::::
tp-link	er7212pc_firmware	< 2.2.1	cpe:2.3:o:tp-link:er7212pc_firmware::::::::
tp-link	fr365_firmware	< 1.1.10	cpe:2.3:o:tp-link:fr365_firmware::::::::
tp-link	g36w-4g_firmware	< 1.1.5	cpe:2.3:o:tp-link:g36w-4g_firmware::::::::
tp-link	eap655-wall_firmware	< 1.6.2	cpe:2.3:o:tp-link:eap655-wall_firmware::::::::
tp-link	eap660_hd_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap660_hd_firmware::::::::
tp-link	eap620_hd_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap620_hd_firmware::::::::
tp-link	eap610-outdoor_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap610-outdoor_firmware::::::::
tp-link	eap610_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap610_firmware::::::::
tp-link	eap623-outdoor_hd_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap623-outdoor_hd_firmware::::::::
tp-link	eap625-outdoor_hd_firmware	< 1.6.1	cpe:2.3:o:tp-link:eap625-outdoor_hd_firmware::::::::
tp-link	eap772_firmware	< 1.3.2	cpe:2.3:o:tp-link:eap772_firmware::::::::
tp-link	eap772-outdoor_firmware	< 1.3.2	cpe:2.3:o:tp-link:eap772-outdoor_firmware::::::::
tp-link	eap770_firmware	< 1.3.2	cpe:2.3:o:tp-link:eap770_firmware::::::::
tp-link	eap723_firmware	< 1.3.2	cpe:2.3:o:tp-link:eap723_firmware::::::::
tp-link	eap773_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap773_firmware::::::::
tp-link	eap783_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap783_firmware::::::::
tp-link	eap772_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap772_firmware::::::::
tp-link	eap787_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap787_firmware::::::::
tp-link	eap720_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap720_firmware::::::::
tp-link	eap723_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap723_firmware::::::::
tp-link	eap725-wall_firmware	< 1.1.2	cpe:2.3:o:tp-link:eap725-wall_firmware::::::::
tp-link	eap215_bridge_kit_firmware	< 1.1.4	cpe:2.3:o:tp-link:eap215_bridge_kit_firmware::::::::
tp-link	eap211_bridge_kit_firmware	< 1.1.4	cpe:2.3:o:tp-link:eap211_bridge_kit_firmware::::::::
tp-link	beam_bridge_5_ur_firmware	< 1.1.5	cpe:2.3:o:tp-link:beam_bridge_5_ur_firmware::::::::
tp-link	eap603gp-desktop_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap603gp-desktop_firmware::::::::
tp-link	eap615gp-wall_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap615gp-wall_firmware::::::::
tp-link	eap625gp-wall_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap625gp-wall_firmware::::::::
tp-link	eap610gp-desktop_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap610gp-desktop_firmware::::::::
tp-link	eap650gp-desktop_firmware	< 1.0.1	cpe:2.3:o:tp-link:eap650gp-desktop_firmware::::::::
tp-link	eap653_firmware	< 1.3.3	cpe:2.3:o:tp-link:eap653_firmware::::::::
tp-link	eap650-outdoor_firmware	< 1.3.3	cpe:2.3:o:tp-link:eap650-outdoor_firmware::::::::
tp-link	eap230-wall_firmware	< 3.3.1	cpe:2.3:o:tp-link:eap230-wall_firmware::::::::
tp-link	eap235-wall_firmware	< 3.3.1	cpe:2.3:o:tp-link:eap235-wall_firmware::::::::
tp-link	eap603-outdoor_firmware	< 1.5.1	cpe:2.3:o:tp-link:eap603-outdoor_firmware::::::::
tp-link	eap653_ur_firmware	< 1.4.2	cpe:2.3:o:tp-link:eap653_ur_firmware::::::::
tp-link	eap650-desktop_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap650-desktop_firmware::::::::
tp-link	eap615-wall_firmware	< 1.1.0	cpe:2.3:o:tp-link:eap615-wall_firmware::::::::
tp-link	eap100-bridge_kit_firmware	< 1.0.3	cpe:2.3:o:tp-link:eap100-bridge_kit_firmware::::::::
tp-link	er706w-4g_firmware	< 2.1.0	cpe:2.3:o:tp-link:er706w-4g_firmware::::::::
tp-link	omada_controller	< 6.0.0.34	cpe:2.3:a:tp-link:omada_controller:::::-:::*
tp-link	omada_controller	< 5.15.24	cpe:2.3:a:tp-link:omada_controller:::::-:::*

References for CVE-2025-9290

URL	Tags
https://support.omadanetworks.com/en/download/	Product
https://support.omadanetworks.com/us/document/114950/	Vendor Advisory
https://support.omadanetworks.com/us/download/	Product

URL

CVE-2025-9290 | Authentication Weakness on Omada Controllers, Gateways and Access Points

Exploit prediction scoring system (EPSS) score for CVE-2025-9290

Common vulnerability scoring system (CVSS) metrics for CVE-2025-9290

Weakness enumeration for CVE-2025-9290

Affected software / configurations for CVE-2025-9290

References for CVE-2025-9290