Omada Software Controller
by TP-Link
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-44032 | Hig | 0.49 | 7.5 | 0.02 | Mar 10, 2022 | TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed. An attacker can bypass the captive portal authentication process by using the downgraded "no authentication" method, and access the… | ||
| CVE-2020-12475 | Med | 0.36 | 5.5 | 0.01 | May 4, 2020 | TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar. | ||
| CVE-2025-9522 | 0.00 | — | 0.00 | Jan 26, 2026 | Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | |||
| CVE-2025-9521 | 0.00 | — | 0.00 | Jan 26, 2026 | Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. | |||
| CVE-2025-9520 | 0.00 | — | 0.00 | Jan 26, 2026 | An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | |||
| CVE-2025-9290 | 0.00 | — | 0.00 | Jan 22, 2026 | An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge… | |||
| CVE-2025-9289 | 0.00 | — | 0.00 | Jan 22, 2026 | A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated… |
- risk 0.49cvss 7.5epss 0.02
TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed. An attacker can bypass the captive portal authentication process by using the downgraded "no authentication" method, and access the…
- risk 0.36cvss 5.5epss 0.01
TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar.
- CVE-2025-9522Jan 26, 2026risk 0.00cvss —epss 0.00
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
- CVE-2025-9521Jan 26, 2026risk 0.00cvss —epss 0.00
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
- CVE-2025-9520Jan 26, 2026risk 0.00cvss —epss 0.00
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
- CVE-2025-9290Jan 22, 2026risk 0.00cvss —epss 0.00
An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge…
- CVE-2025-9289Jan 22, 2026risk 0.00cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated…