Omada Controller XSS and Device Adoption Auth Bypass Vulnerabilities (CVE-2025-9289/9290)

From the screenshot, the following key vulnerability information can be obtained: Vulnerabilities CVE-2025-9289 - Description: Cross-Site Scripting (XSS) vulnerability in Omada Controllers caused by improper input sanitization. - Risk: Exploitation requires advanced conditions, such as specific network positioning or emulation of a trusted entity, along with user interaction from an authenticated administrator. - Impact: Enables arbitrary JavaScript execution in the administrator’s browser, potentially leading to exposure of sensitive information and confidentiality compromise. - Severity: CVSS v4.0 Score 5.7 / Medium - Affected Products: Software (Win/Linux), Cloud, OC Series (OC200/OC220/OC300/OC400) CVE-2025-9290 - Description: Authentication weakness during controller-device adoption due to improper handling of random values. - Risk: An attacker with advanced network positioning can intercept adoption traffic and forge valid authentication via offline precomputation. - Impact: Exposure of sensitive information and confidentiality compromise. - Severity: CVSS v4.0 Score 6.0 / Medium - Affected Products: Controllers, Gateways, and Access Points (ER/DR Series, EAP Series) Affected Products Summary Controllers - Software (Win/Linux) - Cloud Controller - Hardware Controllers (OC200, OC220, OC300, OC400) Gateways - ER/DR Series (ER605, ER7206, ER7406, etc.) Access Points - EAP Series (EAP655-Wall, EAP660 HD, EAP620 HD, etc.) Recommendations 1. Firmware Update: Download and install the latest firmware version. Links: - Download for US - Download for EN 2. Password Change: Change the password after upgrading the firmware to mitigate risks associated with potential password leakage. Disclaimer Failure to follow the recommended actions may leave the vulnerabilities unpatched, potentially exposing systems to ongoing risks.

Goal Reached Thanks to every supporter — we hit 100%!

Omada Controller XSS and Device Adoption Auth Bypass Vulnerabilities (CVE-2025-9289/9290)