CVE-2025-9292

High

Published: 13 February 2026

Published

13 February 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0002 4.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9292 is a high-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Tp-Link Aginet. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Directly enables exploitation of a public-facing web application via permissive cross-origin policy bypass (CWE-942), leading to unauthorized data disclosure when combined with client-side injection.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could…

allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

Deeper analysisAI

CVE-2025-9292 is a vulnerability in TP-Link's Omada Cloud Controller service stemming from a permissive web security configuration (CWE-942) that allows cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. The issue affects the web interface of the Omada Cloud Controller, a cloud-based management platform for TP-Link networking devices. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low attack complexity.

Exploitation requires an existing client-side injection vulnerability in conjunction with legitimate user access to the affected web interface. A remote, unauthenticated attacker could leverage this setup to bypass browser-enforced cross-origin protections, potentially enabling unauthorized disclosure of sensitive information from the targeted domain.

TP-Link has addressed the vulnerability through automatic deployment of updated Omada Cloud Controller service versions, requiring no user action. Detailed mitigation information is available in advisories at https://www.omadanetworks.com/us/support/faq/4969/ and https://www.tp-link.com/us/support/faq/4969/.

Details

CWE(s): CWE-942

Affected Products

tp-link

aginet

≤ 2.13.6

tp-link

deco

≤ 3.9.163

tp-link

festa

≤ 1.7.1

tp-link

kasa

≤ 3.4.350

tp-link

kidshield

≤ 1.1.21

tp-link

omada

≤ 4.25.25

tp-link

omada guard

≤ 1.1.28

tp-link

tapo

≤ 3.14.111

tp-link

tether

≤ 4.12.27

tp-link

tp-partner

≤ 2.0.1

+4 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-9293Same product: Tp-Link Aginet

CVE-2024-57049Same vendor: Tp-Link

CVE-2026-1668Same vendor: Tp-Link

CVE-2025-15517Same vendor: Tp-Link

CVE-2026-0834Same vendor: Tp-Link

CVE-2025-25897Same vendor: Tp-Link

CVE-2026-34121Same vendor: Tp-Link

CVE-2026-3622Same vendor: Tp-Link

CVE-2025-6542Same vendor: Tp-Link

CVE-2026-25478Shared CWE-942

References

https://www.omadanetworks.com/us/support/faq/4969/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4969/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630