Sign-up

ID

VAR-202602-3856


CVE

CVE-2025-9292


TITLE

TP-LINK Technologies of Aginet Vulnerabilities related to excessively permissive cross-domain whitelisting in multiple products such as [list of products].

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889

DESCRIPTION

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information.  Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required. Therefore, no action is required on the user's end.All information handled by the software may be leaked to the outside. In addition, information handled by the software will not be rewritten. Furthermore, the software will not stop. Furthermore, attacks exploiting this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2025-9292 // JVNDB: JVNDB-2026-009889

AFFECTED PRODUCTS

vendor:tp linkmodel:kidshieldscope:ltversion:1.1.21

Trust: 1.0

vendor:tp linkmodel:wifi toolkitscope:ltversion:1.4.28

Trust: 1.0

vendor:tp linkmodel:decoscope:ltversion:3.9.163

Trust: 1.0

vendor:tp linkmodel:aginetscope:ltversion:2.13.6

Trust: 1.0

vendor:tp linkmodel:vigiscope:ltversion:2.7.70

Trust: 1.0

vendor:tp linkmodel:omada guardscope:ltversion:1.1.28

Trust: 1.0

vendor:tp linkmodel:kasascope:ltversion:3.4.350

Trust: 1.0

vendor:tp linkmodel:taposcope:ltversion:3.14.111

Trust: 1.0

vendor:tp linkmodel:wi-fi naviscope:ltversion:1.5.5

Trust: 1.0

vendor:tp linkmodel:omadascope:ltversion:4.25.25

Trust: 1.0

vendor:tp linkmodel:festascope:ltversion:1.7.1

Trust: 1.0

vendor:tp linkmodel:tetherscope:ltversion:4.12.27

Trust: 1.0

vendor:tp linkmodel:tp-partnerscope:ltversion:2.0.1

Trust: 1.0

vendor:tp linkmodel:tpcamerascope:ltversion:3.2.17

Trust: 1.0

vendor:tp linkmodel:decoscope: - version: -

Trust: 0.8

vendor:tp linkmodel:vigiscope: - version: -

Trust: 0.8

vendor:tp linkmodel:tetherscope: - version: -

Trust: 0.8

vendor:tp linkmodel:tpcamerascope: - version: -

Trust: 0.8

vendor:tp linkmodel:omada guardscope: - version: -

Trust: 0.8

vendor:tp linkmodel:aginetscope: - version: -

Trust: 0.8

vendor:tp linkmodel:wi-fi naviscope: - version: -

Trust: 0.8

vendor:tp linkmodel:taposcope: - version: -

Trust: 0.8

vendor:tp linkmodel:omadascope: - version: -

Trust: 0.8

vendor:tp linkmodel:wi-fi toolkitscope: - version: -

Trust: 0.8

vendor:tp linkmodel:kidshieldscope: - version: -

Trust: 0.8

vendor:tp linkmodel:kasascope: - version: -

Trust: 0.8

vendor:tp linkmodel:tp-partnerscope: - version: -

Trust: 0.8

vendor:tp linkmodel:festascope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889 // NVD: CVE-2025-9292

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2025-9292
value: HIGH

Trust: 1.0

f23511db-6c3e-4e32-a477-6aa17d310630: CVE-2025-9292
value: LOW

Trust: 1.0

NVD: CVE-2025-9292
value: HIGH

Trust: 0.8

nvd@nist.gov: CVE-2025-9292
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2025-9292
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889 // NVD: CVE-2025-9292 // NVD: CVE-2025-9292

PROBLEMTYPE DATA

problemtype:CWE-942

Trust: 1.0

problemtype:Overly permissive cross-domain whitelisting (CWE-942) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889 // NVD: CVE-2025-9292

PATCH

title:Security Advisory on Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers and Insufficient Certificate Validation in Multiple Mobile Applications Allows Man in the Middle Interception (CVE-2025-9292 and CVE-2 TP-Linkurl:https://www.omadanetworks.com/us/support/faq/4969/

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889

EXTERNAL IDS

db:NVDid:CVE-2025-9292

Trust: 2.6

db:JVNDBid:JVNDB-2026-009889

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889 // NVD: CVE-2025-9292

REFERENCES

url:https://www.tp-link.com/us/support/faq/4969/

Trust: 1.0

url:https://www.omadanetworks.com/us/support/faq/4969/

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2025-9292

Trust: 0.8

sources: JVNDB: JVNDB-2026-009889 // NVD: CVE-2025-9292

SOURCES

db:JVNDBid:JVNDB-2026-009889
db:NVDid:CVE-2025-9292

LAST UPDATE DATE

2026-04-05T23:49:32.539000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-009889date:2026-04-03T02:20:00
db:NVDid:CVE-2025-9292date:2026-04-01T20:52:43.110

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-009889date:2026-04-03T00:00:00
db:NVDid:CVE-2025-9292date:2026-02-13T02:16:45.937