CVE-2025-9522 | THREATINT

Description

Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.

PUBLISHED Reserved 2025-08-27 | Published 2026-01-26 | Updated 2026-02-03 | Assigner TPLink

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unknown

Any version before 6.0

affected

Credits

Eduardo Bido on behalf of Thoropass finder

References

support.omadanetworks.com/us/document/115200/ vendor-advisory

https/...networks.com/us/download/software/omada-controller/ patch

cve.org (CVE-2025-9522)

nvd.nist.gov (CVE-2025-9522)

Download JSON