Omada Controller
CVE-2025-9521
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
AnalysisAI
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. [CVSS 6.5 MEDIUM]
Technical ContextAI
Classified as CWE-522 (Insufficiently Protected Credentials). Affects Omada Controller. Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Omada Controller
View allTP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.p
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate r
An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption d
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests t
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sani
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today