Skip to main content

Omada Controller

6 CVEs product

Monthly

CVE-2025-9522 MEDIUM This Month

Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. [CVSS 5.3 MEDIUM]

SSRF Omada Controller
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-9521 MEDIUM This Month

Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. [CVSS 6.5 MEDIUM]

Authentication Bypass Omada Controller
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-9520 MEDIUM This Month

An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. [CVSS 6.8 MEDIUM]

Authentication Bypass Omada Controller
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-9290 MEDIUM This Month

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values.

Information Disclosure Eap100 Bridge Kit Firmware Er605 Firmware Eap723 Firmware Eap215 Bridge Kit Firmware +52
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-9289 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware Oc300 Firmware Oc220 Firmware +1
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2020-12475 MEDIUM POC This Month

TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Path Traversal Omada Controller
NVD
CVSS 3.1
5.5
EPSS
0.6%
EPSS 0% CVSS 5.3
MEDIUM This Month

Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. [CVSS 5.3 MEDIUM]

SSRF Omada Controller
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. [CVSS 6.5 MEDIUM]

Authentication Bypass Omada Controller
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. [CVSS 6.8 MEDIUM]

Authentication Bypass Omada Controller
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values.

Information Disclosure Eap100 Bridge Kit Firmware Er605 Firmware +54
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator.

XSS Oc200 Firmware Oc400 Firmware +3
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM POC This Month

TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

TP-Link Path Traversal Omada Controller
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy