TP-Link Security Advisory: CVE-2025-9292/9293 Fixes for Omada/Tapo/Kasa

Critical Vulnerability Information Vulnerability Description: CVE-2025-9292: A lenient web security policy in the Omada Cloud Controller allows bypass of cross-origin access control. Under specific conditions, modern browsers may circumvent cross-origin restrictions caused by existing client-side injection vulnerabilities and user access to affected website interfaces. CVSS v4.0 Score: 2.0 / Low Vulnerability Description and Impact (CVE-2025-9293) An authentication flaw in the Omada Cloud Controller allows unauthenticated attackers to tamper with identities during TLS communication. Attackers in privileged network positions may intercept or modify data within the communication channel. CVSS v4.0 Score: 7.7 / High Affected Products/Versions and Remediation Recommendations 1. CVE-2025-9292: For Omada Cloud deployments, no user action is required, as updates will be automatically applied to the cloud environment after TP-Link verification. 2. CVE-2025-9293: Users of affected mobile applications should open the Google Play Store to check for and install the latest version of the app (see above). Note: iOS applications are not affected. Disclaimer If all recommended actions are not performed, the vulnerability will remain present. TP-Link is not liable for any consequences that may result from failure to follow this advisory.

Goal Reached Thanks to every supporter — we hit 100%!

TP-Link Security Advisory: CVE-2025-9292/9293 Fixes for Omada/Tapo/Kasa