Listen to this Post
CVE-2025-9522 is a Blind Server-Side Request Forgery (SSRF) vulnerability affecting TP-Link Omada Controllers . The flaw resides specifically within the webhook functionality of the controller, where an authenticated attacker with high privileges (administrative access) can configure a webhook URL pointing to internal network resources . Due to inadequate input validation and URL filtering, the application fails to restrict destinations to private IP ranges (such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or localhost) . When the webhook is triggered, the server initiates an HTTP request from itself to the attacker-specified internal target . Because this is a “blind” SSRF, the attacker does not directly receive the response body but can infer information about the internal network—such as open ports, running services, or internal IP addresses—by analyzing response times, HTTP status codes, or error messages . This enumeration can map internal topologies and potentially expose sensitive endpoints, facilitating further attacks against otherwise inaccessible internal systems . The vulnerability is officially classified under CWE-918 and affects Omada Controller versions prior to 6.0 .
dailycve form:
Platform: TP-Link Omada
Version: Prior 6.0
Vulnerability : Blind SSRF
Severity: MEDIUM (5.1)
date: 2026-01-26
Prediction: 2026-01-26
What Undercode Say:
Analytics:
The vulnerability requires high privileges, limiting the attack surface to administrators or compromised admin accounts . The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) indicates a network attack vector with low complexity, but it only allows for low confidentiality impact without affecting integrity or availability . The attack is not automatable and requires no user interaction . It was published on January 26, 2026, with the patch available in version 6.0 on the same day .
Bash Commands and Code:
Example: Detect potentially malicious webhook configurations pointing to internal IPs
grep -iE '(10.[0-9]{1,3}.|172.(1[6-9]|2[0-9]|3[0-1]).|192.168.|127.0.0.1|169.254.|localhost)' /opt/tplink/omada/data/profiles/.json
Example: Network-level mitigation using iptables to block outbound SSRF from Omada Controller
Block RFC 1918 addresses
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Block link-local and metadata IPs
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d 0.0.0.0/8 -j DROP
iptables -A OUTPUT -d 224.0.0.0/4 -j DROP
iptables -A OUTPUT -d 240.0.0.0/4 -j DROP
How Exploit:
- Authenticate: Attacker logs into the Omada Controller management interface with administrative privileges .
- Navigate: Attacker accesses the webhook configuration section .
- Craft URL: Attacker inputs a malicious URL targeting an internal service (e.g., `http://192.168.1.1/admin`, `http://localhost:8080/`, `http://169.254.169.254/latest/meta-data/`) .
- Trigger: The Omada Controller saves the configuration and later, when the webhook event occurs, the server initiates an HTTP request to the internal target .
- Infer Data: The attacker analyzes the behavior (e.g., timeouts vs. fast responses, differences in error messages) to map internal services .
Protection from this CVE
- Patch: Immediately update the Omada Controller to version 6.0 or later, which contains the official fix .
- Network Segmentation: Implement firewall rules to prevent the Omada Controller from initiating connections to internal (RFC 1918) and link-local addresses .
- Disable Webhooks: If the webhook functionality is not essential for business operations, disable it entirely .
- Audit Configurations: Regularly audit existing webhook configurations to ensure no URLs point to internal IP addresses .
- Access Control: Enforce strict access controls and multi-factor authentication for all administrator accounts to prevent credential compromise .
Impact:
Successful exploitation allows an attacker to perform internal network reconnaissance, mapping out live hosts, open ports, and running services behind the firewall . While the vulnerability itself only leads to information disclosure (low confidentiality impact), it serves as a critical stepping stone for further attacks, enabling lateral movement and potential compromise of sensitive internal systems that are otherwise protected from direct external access .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

