CVE-2025-9290 — MEDIUM (5.9)

Q: How severe is CVE-2025-9290?

CVE-2025-9290 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-9290?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Omada Controller, Tp-Link Oc200 Firmware, Tp-Link Oc200, Tp-Link Oc220 Firmware, Tp-Link Oc220.

Vulnerability Description

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Tp-Link	Omada Controller	< 6.0.0.24
Tp-Link	Oc200 Firmware	< 1.37.9
Tp-Link	Oc200	1
Tp-Link	Oc220 Firmware	< 1.1.3
Tp-Link	Oc220	1
Tp-Link	Oc300 Firmware	< 1.31.9
Tp-Link	Oc300	1.6
Tp-Link	Oc400 Firmware	< 1.9.9
Tp-Link	Oc400	1.6
Tp-Link	Er605 Firmware	< 2.3.2
Tp-Link	Er605	2.0
Tp-Link	Er7206 Firmware	< 2.2.2
Tp-Link	Er7206	2.0
Tp-Link	Er7406 Firmware	< 1.2.2
Tp-Link	Er7406	-
Tp-Link	Er707-M2 Firmware	< 1.3.1
Tp-Link	Er707-M2	-
Tp-Link	Er7412-M2 Firmware	< 1.1.0
Tp-Link	Er7412-M2	-
Tp-Link	Er8411 Firmware	< 1.3.5

Related Weaknesses (CWE)

CWE-760

References

https://support.omadanetworks.com/en/download/Product
https://support.omadanetworks.com/us/document/114950/Vendor Advisory
https://support.omadanetworks.com/us/download/Product

FAQ

What is CVE-2025-9290?

CVE-2025-9290 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network...

How severe is CVE-2025-9290?

CVE-2025-9290 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-9290?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Omada Controller, Tp-Link Oc200 Firmware, Tp-Link Oc200, Tp-Link Oc220 Firmware, Tp-Link Oc220.