Security Advisory on Cross-Site Scripting Vulnerability on Omada Controllers (CVE-2025-9289), and Authentication Weakness on Omada Controllers, Gateways and Access Points (CVE-2025-9290)

Security Vulnerability

01-22-2026

Vulnerabilities Description and Impacts:

CVE-2025-9289: Omada Controllers

A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.

CVSS v4.0 Score: 5.7 / Medium

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

CVE-2025-9290: Omada Controllers, Gateways and Access Points

An authentication weakness was identified during controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.

CVSS v4.0 Score: 6 / Medium

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products Summary:

Product Family	Models	CVEs	Affected Versions
Controllers	Software (Win/Linux), Cloud, OC Series (OC200/OC220/OC300/OC400)	CVE-2025-9289 CVE-2025-9290	< 6.0.0.x
Gateways	ER/DR Series (ER605, ER7206, ER7406, ER707-M2, ER7412-M2, ER8411, ER706W variants, ER701-5G, ER7212PC), FR365, G36W-4G	CVE-2025-9290	< respective versions
Access Points	EAP Series (EAP655-Wall, EAP660 HD, EAP620 HD, EAP610, EAP623/625 Outdoor HD, EAP772/770/723/773/783/787, EAP725-Wall, Bridge Kits, Beam Bridge, EAP603GP/EAP615GP/EAP625GP/EAP610GP/EAP650GP, EAP653/EAP650-Outdoor/EAP230/EAP235/EAP603-Outdoor/EAP653 UR/EAP650-Desktop/EAP615-Wall/EAP100-Bridge KIT)	CVE-2025-9290	< respective versions

Detailed Version Information:

Affected Product Model	Related Vulnerabilities	Affected Version
Controllers:
Software Controllers (Win & Linux）	CVE-2025-9289 CVE-2025-9290	< 6.0.0.24
Cloud Controller	CVE-2025-9289 CVE-2025-9290	< 6.0.0.100
Hardware Controllers:
OC200	CVE-2025-9289 CVE-2025-9290	< 6.0.0.34 OC200(UN)_V1_1.37.9 Build 20251027 OC200(UN)_V2_2.22.9 Build 20251027
OC220	CVE-2025-9289	< 6.0.0.34 OC220(UN)_V1_1.2.9 Build 20251027
OC220	CVE-2025-9290	<5.15.24 OC220(UN)_V1_1.1.3 Build 20250918 OC220(UN)_V2 Build 20250929
OC300	CVE-2025-9289 CVE-2025-9290	< 6.0.0.34 OC300(UN)_V1.6_1.31.9 Build 20251027
OC400	CVE-2025-9289 CVE-2025-9290	< 6.0.0.34 OC400(UN)_V1.6_1.9.9 Build 20251027
Gateways:
ER605 v2.0	CVE-2025-9290	< 2.3.2 Build 20251029 Rel.12727
ER7206 v2.0	CVE-2025-9290	< 2.2.2 Build 20250724 Rel.11109
ER7406	CVE-2025-9290	< 1.2.2 Build 20250724 Rel.11109
ER707-M2	CVE-2025-9290	< 1.3.1 Build 20251009 Rel.67687
ER7412-M2	CVE-2025-9290	< 1.1.0 Build 20251015 Rel.63594
ER8411	CVE-2025-9290	< 1.3.5 Build 20251028 Rel.06811
ER706W	CVE-2025-9290	< 1.2.1 Build 20250821 Rel.80909
ER706W-4G	CVE-2025-9290	< 1.2.1 Build 20250821 Rel.82492
ER706W-4G 2.0	CVE-2025-9290	< 2.1.0 Build 20250810 Rel.77020
ER706WP-4G	CVE-2025-9290	< 1.1.0 Build 20250810 Rel.77020
ER703WP-4G-Outdoor	CVE-2025-9290	< 1.1.0 Build 20250822 Rel.08201
DR3220v-4G	CVE-2025-9290	< 1.1.0 Build 20250801 Rel.81473
DR3650v	CVE-2025-9290	< 1.1.0 Build 20250801 Rel.81737
DR3650v-4G	CVE-2025-9290	< 1.1.0 Build 20250801 Rel.81753
ER701-5G-Outdoor	CVE-2025-9290	< 1.0.0 Build 20250826 Rel.68862
ER605W 2.0	CVE-2025-9290	< 2.0.2 Build 20250723 Rel.39048
ER7212PC 2.0	CVE-2025-9290	< 2.2.1 Build 20251027 Rel.75129
FR365	CVE-2025-9290	< 1.1.10 Build 20250626 Rel.81746
G36W-4G	CVE-2025-9290	< 1.1.5 Build 20250710 Rel.62142
Access Points:
EAP655-Wall v1.0	CVE-2025-9290	< 1.6.2 Build 20251107 Rel. 35700
EAP660 HD v1.0 EAP660 HD v2.0	CVE-2025-9290	< 1.6.1 Build 20251218 Rel. 60476
EAP620 HD v3.0/3.20 EAP620 HD v2. EAP610-Outdoor v1.0/1.20 EAP610 v1.0 EAP610 v2.0 EAP623-Outdoor HD v1.0 EAP625-Outdoor HD v1.0	CVE-2025-9290	< 1.6.1 Build 20251218 Rel. 60435
EAP772 v2.0 EAP772-Outdoor v1.0 EAP770 v2.0 EAP723 v1.0	CVE-2025-9290	< 1.3.2 Build 20250901 Rel. 52255
EAP773 v1.0 EAP783 v1.0 EAP772 v1.0	CVE-2025-9290	< 1.1.2 Build 20251030 Rel. 58575
EAP787 v1.0	CVE-2025-9290	< 1.1.2 Build 20251013 Rel. 32717
EAP720 v1.0 EAP723 v2.0 EAP725-Wall v1.0	CVE-2025-9290	< 1.1.2 Build 20250901 Rel. 74897
EAP215 Bridge KIT 3.0 EAP211 Bridge KIT 3.0	CVE-2025-9290	<1.1.4 Build 20251112 Rel. 34769
Beam Bridge 5 UR v1.0	CVE-2025-9290	< 1.1.5 Build 20250928 Rel. 68499
EAP603GP-Desktop 1.0 EAP615GP-Wall 1.0/1.20 EAP625GP-Wall 1.0/1.20 EAP610GP-Desktop 1.0/1.20/1.26	CVE-2025-9290	< 1.1.0 Build 20251028 Rel. 81486
EAP650GP-Desktop 1.0	CVE-2025-9290	< 1.0.1 Build 20250819 Rel. 60298
EAP653 v1.0 EAP650-Outdoor v1.0	CVE-2025-9290	< 1.3.3 Build 20251111 Rel. 72627
EAP230-Wall v1.0 EAP235-Wall v1.0	CVE-2025-9290	< 3.3.1 Build 20251203 Rel. 58135
EAP603-Outdoor v1.0	CVE-2025-9290	< 1.5.1 Build 20250917 Rel. 50214
EAP653 UR v1.0	CVE-2025-9290	< 1.4.2 Build 20251208 Rel. 43830
EAP650-Desktop v1.0	CVE-2025-9290	< 1.1.0 Build 20251105 Rel. 50852
EAP615-Wall v1.20 EAP615-Wall v1.0	CVE-2025-9290	<1.5.10 Build 20250903 Rel. 49784
EAP100-Bridge KIT v1.0	CVE-2025-9290	< 1.0.3 Build 20251015 Rel. 62058

Recommendation(s):

We strongly recommend that users with the affected device(s) take the following action(s):

Download and update to the latest firmware version to fix these vulnerabilities:

https://support.omadanetworks.com/us/download/

https://support.omadanetworks.com/en/download/

Change the password after the firmware upgrade to mitigate the potential risk of password leakage

Disclaimer:

If you do not take the recommended actions stated above, this vulnerability concern will remain. TP-Link cannot bear any responsibility for the consequences that could have been avoided by following the recommended actions in this statement.

Please Rate this Document