Cyber Resilience

CVE-2025-9292

Low

Published: 13 February 2026

Published
13 February 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 4.5th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9292 is a low-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Tp-Link Aginet. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-9292 is a vulnerability in TP-Link's Omada Cloud Controller service stemming from a permissive web security configuration (CWE-942) that allows cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. The issue affects the web interface of the Omada Cloud Controller, a cloud-based management platform for TP-Link networking devices. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.

Exploitation requires an existing client-side injection vulnerability in conjunction with legitimate user access to the affected web interface. A remote, unauthenticated attacker could leverage this setup to bypass browser-enforced cross-origin protections, potentially enabling unauthorized disclosure of sensitive information from the targeted domain.

TP-Link has addressed the vulnerability through automatic deployment of updated Omada Cloud Controller service versions, requiring no user action. Detailed mitigation information is available in advisories at https://www.omadanetworks.com/us/support/faq/4969/ and https://www.tp-link.com/us/support/faq/4969/.

EU & UK References

Vulnerability details

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could…

more

allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directly enables exploitation of a public-facing web application via permissive cross-origin policy bypass (CWE-942), leading to unauthorized data disclosure when combined with client-side injection.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-9293Same product: Tp-Link Aginet
CVE-2024-57049Same vendor: Tp-Link
CVE-2026-0834Same vendor: Tp-Link
CVE-2026-1668Same vendor: Tp-Link
CVE-2026-34121Same vendor: Tp-Link
CVE-2025-25897Same vendor: Tp-Link
CVE-2025-15517Same vendor: Tp-Link
CVE-2026-30818Same vendor: Tp-Link
CVE-2025-25901Same vendor: Tp-Link
CVE-2026-5509Same vendor: Tp-Link

Affected Assets

tp-link
aginet
≤ 2.13.6
tp-link
deco
≤ 3.9.163
tp-link
festa
≤ 1.7.1
tp-link
kasa
≤ 3.4.350
tp-link
kidshield
≤ 1.1.21
tp-link
omada
≤ 4.25.25
tp-link
omada guard
≤ 1.1.28
tp-link
tapo
≤ 3.14.111
tp-link
tether
≤ 4.12.27
tp-link
tp-partner
≤ 2.0.1
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for web servers to implement strict cross-origin restrictions, directly mitigating the permissive web security configuration.

prevent

Requires publicly accessible systems to employ controls limiting access to specific origins, preventing bypass of browser-enforced cross-origin protections.

prevent

Enforces approved information flow control policies that restrict cross-origin data access, blocking unauthorized disclosure via permissive configurations.

References