CVE-2025-9521 | THREATINT

Description

Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.

PUBLISHED Reserved 2025-08-27 | Published 2026-01-26 | Updated 2026-02-03 | Assigner TPLink

LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-522 Insufficiently Protected Credentials

Product status

Default status

unknown

Any version before 6.0

affected

Credits

Eduardo Bido on behalf of Thoropass finder

References

support.omadanetworks.com/us/document/115200/ vendor-advisory

support.omadanetworks.com/...load/software/omada-controller/ patch

cve.org (CVE-2025-9521)

nvd.nist.gov (CVE-2025-9521)

Download JSON