Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tp-Link | Omada Controller | < 6.0.0.24 |
| Tp-Link | Oc200 Firmware | < 1.37.9 |
| Tp-Link | Oc200 | 1 |
| Tp-Link | Oc220 Firmware | < 1.2.9 |
| Tp-Link | Oc220 | 1 |
| Tp-Link | Oc300 Firmware | < 1.31.9 |
| Tp-Link | Oc300 | 1.6 |
| Tp-Link | Oc400 Firmware | < 1.9.9 |
| Tp-Link | Oc400 | 1.6 |
Related Weaknesses (CWE)
References
- https://support.omadanetworks.com/us/document/114950/Vendor Advisory
- https://support.omadanetworks.com/us/download/Product
FAQ
What is CVE-2025-9289?
CVE-2025-9289 is a vulnerability with a CVSS score of 4.7 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning...
How severe is CVE-2025-9289?
CVE-2025-9289 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9289?
Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Omada Controller, Tp-Link Oc200 Firmware, Tp-Link Oc200, Tp-Link Oc220 Firmware, Tp-Link Oc220.