Security Advisory on Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers and Insufficient Certificate Validation in Multiple Mobile Applications Allows Man in the Middle Interception (CVE-2025-9292 and CVE-2025-9293)
423 Description of Vulnerabilities and Impacts:
CVE-2025-9292: Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers
A permissive web security configuration in Omada cloud controllers may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface.
Successful exploitation could allow unauthorized disclosure of sensitive information.
CVSS v4.0 Score: 2.0/ Low
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVE-2026-9293: Insufficient Certificate Validation in Multiple Mobile Applications Allows Man in the Middle Interception
A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel.
Successful exploitation may compromise confidentiality, integrity, and availability of application data.
CVSS v4.0 Score: 7.7 / High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Affected Applications |
Affected Version |
|
Tapo |
< 3.14.111 |
|
Kasa |
< 3.4.350 |
|
Omada |
< 4.25.25 |
|
Omada Guard |
< 1.1.28 |
|
Tether |
< 4.12.27 |
|
Deco |
< 3.9.163 |
|
Aginet |
< 2.13.6 |
|
tpCamera |
< 3.2.17 |
|
WiFi Toolkit |
< 1.4.28 |
|
Festa |
< 1.7.1 |
|
Wi-Fi Navi |
< 1.5.5 |
|
KidShield |
< 1.1.21 |
|
TP-Partner |
< 2.0.1 |
|
VIGI |
< 2.7.70 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- For CVE-2025-9292:
No user action is required for Omada Cloud deployments, as updates are automatically applied to the cloud environment once validated by TP-Link.
- For CVE-2025-9293:
Users of affected mobile applications should:
- Open the Google Play Store
- Check for available updates
- Install the latest application version (see details above)
Note: iOS applications are not affected.
Disclaimer:
If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.