CVE-2025-9290

moderate-risk

Published 2026-01-23

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

Omada Controller

Oc200 Firmware

Oc220 Firmware

Oc300 Firmware

Oc400 Firmware

Oc220 Firmware

Er605 Firmware

Er7206 Firmware

Er7406 Firmware

Er707-M2 Firmware

Er7412-M2 Firmware

Er8411 Firmware

Er706W Firmware

Er706W-4G Firmware

Er706Wp-4G Firmware

Er703Wp-4G-Outdoor Firmware

Dr3220V-4G Firmware

Dr3650V-4G Firmware

Dr3650V Firmware

Affected Vendors

Tp-Link

References (3)

Product https://support.omadanetworks.com/en/download/

Vendor Advisory https://support.omadanetworks.com/us/document/114950/

Product https://support.omadanetworks.com/us/download/

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 27/34 · High