TP-Link Omada Controllers, Password Confirmation Bypass, CVE-2025-9521 (Low)

Listen to this Post

CVE-2025-9521 is a vulnerability in TP-Link Omada Controllers that allows an attacker with a valid session token to bypass the secondary password confirmation step during password changes . The flaw resides in the password management workflow, where the application fails to properly enforce verification checks . When a user initiates a password change, the system typically requires re-authentication or confirmation of the current password as a security measure. In affected versions, this secondary verification is not enforced on the server-side, allowing authenticated requests to skip this step entirely . An attacker who has obtained a valid session token—through session hijacking, theft, or other means—can craft a direct request to the password change endpoint without including the required confirmation data . The server processes this request as valid, changing the user’s password immediately . This undermines account security by removing the final safeguard against unauthorized credential modification, potentially leading to account takeover if an attacker already has session access .
Platform: Omada Controllers
Version: < 6.0
Vulnerability : Password bypass
Severity: Low
date: 26/01/2026

Prediction: Patch available

What Undercode Say:

Analytics:

  • CISA KEV: Not added
  • Exploit Prediction: 0.036%
  • CWE: CWE-522 (Insufficiently Protected Credentials)
  • Attack Vector: Network
  • Privileges Required: High

Bash Commands:

Check current Omada Controller version
sudo omada/bin/control.sh version
Restrict management interface access (example ports 8043, 8088)
sudo iptables -A INPUT -p tcp --dport 8043 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8043 -j DROP
sudo iptables -A INPUT -p tcp --dport 8088 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8088 -j DROP
Save iptables rules (Debian/Ubuntu)
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
Monitor Omada logs for password changes
sudo tail -f /opt/tplink/OmadaController/logs/controller.log | grep -i "password.change"
Search for suspicious session activity
sudo grep "Session" /opt/tplink/OmadaController/logs/controller.log | grep -E "invalid|expired"

Exploit:

  1. Attacker obtains a valid session token (via session hijacking, stolen cookies, or insider access)
  2. Attacker crafts a POST request to the password change endpoint (e.g., /api/account/change-password)
  3. Request includes new password but omits current password or confirmation field
  4. Server accepts request without secondary validation due to CVE-2025-9521
  5. Password is changed, allowing attacker to lock out legitimate user or escalate access

Protection:

  • Update to Omada Controller version 6.0 or later immediately
  • Restrict management interface access to trusted IPs only
  • Implement firewall rules to limit access to ports 8043 and 8088
  • Enforce short session timeouts and rotate administrative credentials regularly
  • Monitor logs for password changes without corresponding confirmation entries
  • Use VPN or jump hosts for all administrative access

Impact:

  • Attackers with valid session tokens can change passwords without confirmation
  • Leads to weakened account security and potential account takeover
  • Administrative accounts may be compromised, granting full control over network management
  • Combined with session hijacking, this allows persistent unauthorized access
  • Network configurations and connected devices may be manipulated post-exploitation

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top