Thoropass Security Research: Responsible Disclosure of TP-Link Vulnerabilities

Security research is part of how we continuously strengthen our expertise. Our pentesters are encouraged to dedicate time to independent research, allowing them to explore real-world applications, refine testing methodologies, and stay ahead of emerging attack patterns.

In 2025, as part of this initiative, I identified and responsibly disclosed three vulnerabilities affecting TP-Link’s Omada Controller. The findings were assigned CVE-2025-9520, CVE-2025-9521, and CVE-2025-9522, including one high severity issue.

These vulnerabilities ranged from broken access control (IDOR) to verification bypass and blind server-side request forgery (SSRF). All issues were reported through a coordinated disclosure process and were later addressed by the vendor.

This research reflects the same depth of analysis and practical attack simulation that we apply across our client engagements.

Target Overview and Research Approach

The research focused on TP-Link Omada Controller, a centralized network management platform designed to manage and monitor TP-Link networking devices such as access points, switches, and gateways.

Omada Controller is commonly deployed in enterprise environments, multi-site organizations, educational institutions, and service provider networks. It provides administrators with centralized visibility and control over network infrastructure, including device configuration, user management, monitoring, and remote administration.

Because of this central role, a compromise of the controller could have significant impact. Administrative access may allow changes to network configurations, credential management, service availability, and overall infrastructure control. This makes the platform a meaningful and realistic target from a security research perspective.

As part of our internal research initiative, our team evaluates applications that are publicly available for installation and testing. This allows us to perform structured security analysis in a controlled environment, replicating real-world attack scenarios while respecting legal and ethical boundaries.

During this process, our researcher conducted a methodical assessment of authentication flows, access control mechanisms, and external communication features within Omada Controller. This analysis led to the identification of three distinct vulnerabilities affecting account security and internal network exposure.

CVE-2025-9520 - Insecure Direct Object Reference (IDOR) Leading to Owner Account Takeover

This vulnerability was caused by improper server-side authorization controls when handling account management operations.

Omada Controller defines multiple administrative roles. Standard administrators are permitted to manage other administrator accounts, while a higher-privileged role, the Owner, is intended to remain protected from modification.

At the user interface level, the application correctly prevented administrators from modifying the Owner account. However, security testing revealed that backend authorization checks did not fully enforce this restriction.

By identifying the internal identifier associated with the Owner account and submitting a direct password change request to the relevant endpoint, it was possible to trigger the password update process. Although the application returned a 403 Forbidden response, the password was still successfully changed.

This behavior highlights an important security lesson: HTTP status codes alone should not be assumed to reflect the true outcome of a server-side operation. Even when an application appears to block an action at the interface or response level, it is critical to verify whether the backend logic actually enforced the restriction. Proper authorization controls must be validated at the server layer, and responses should accurately reflect the real execution state of the request.

This behavior confirmed the presence of an Insecure Direct Object Reference (IDOR), where object identifiers could be manipulated without proper authorization validation at the server layer.

Impact

An authenticated administrator could reset the Owner account password and gain full control over the Omada Controller instance.

Given the platform’s role in centrally managing network infrastructure, including devices, configurations, and user access, this vulnerability could result in complete administrative takeover of the managed environment.

CVE-2025-9521 - Secondary Verification Bypass in Password Change Functionality

This vulnerability affected the additional verification mechanism required when performing sensitive account actions.

It is common practice for applications to require users to re-enter their passwords before executing high-risk operations, such as changing account credentials or modifying security settings. This secondary verification step helps prevent abuse in scenarios such as session hijacking or unauthorized access to an already authenticated session.

Within the Omada Controller, when a user attempted to update their profile, the application prompted for password re-entry. Upon successful validation, a token was generated and intended to authorize the subsequent password update request.

However, during testing, it was observed that this verification token was not properly validated server-side. The confirmation logic was effectively enforced only at the front-end level.

By sending a direct request to the profile update endpoint, without completing the secondary verification step, it was possible to update the account settings successfully.

Impact

An attacker in possession of a valid session (for example, through session compromise or unattended access to a logged-in workstation) could change the account settings without re-confirming credentials.

While this issue required an already authenticated session, it weakened the intended defense-in-depth controls designed to protect sensitive operations and was therefore assigned a low severity classification.

CVE-2025-9522 - Blind Server-Side Request Forgery (SSRF) via Webhook Functionality

This vulnerability affected the webhook configuration feature within the Omada Controller.

Server-Side Request Forgery (SSRF) occurs when an application allows user-supplied input to trigger server-side network requests without properly validating or restricting the destination. Depending on implementation, SSRF can allow attackers to interact with internal services, enumerate infrastructure, or access unintended resources.

In this case, Omada Controller allowed administrators to configure webhooks by specifying a target URL. During testing, it was identified that this functionality did not sufficiently restrict outbound connections initiated by the server.

By leveraging the webhook testing feature, it was possible to supply arbitrary internal IP addresses and ports as destinations. While the application did not return response bodies from these requests, differences in the HTTP response behavior allowed attackers to determine which internal IP addresses and ports were reachable and actively responding.

This confirmed the presence of a Blind SSRF, where the attacker cannot directly read responses but can still observe interaction patterns and infer the existence of internal services.

Impact

An authenticated user with sufficient privileges could enumerate internal network services running on the host system or within its accessible network environment.

Although no direct data exfiltration was possible through this vector alone, the ability to map internal services could facilitate further attack paths, particularly in environments where the controller has access to sensitive internal infrastructure.

This vulnerability was categorized as a medium severity issue.

Vendor Response & Patch

All three vulnerabilities were reported to TP-Link through a coordinated and responsible disclosure process.

Following validation of the findings, TP-Link acknowledged the issues and initiated remediation efforts. In early 2026, updated versions of Omada Controller were released addressing the identified vulnerabilities.

On January 26, 2026, TP-Link published a public Security Advisory detailing the vulnerabilities and associated fixes. The advisory references CVE-2025-9520, CVE-2025-9521, and CVE-2025-9522, and credits Thoropass for the discovery and responsible disclosure of the issues.

We appreciate the professional collaboration throughout the disclosure process and the vendor’s commitment to addressing the findings transparently.

References:

• Security Advisory: https://support.omadanetworks.com/us/document/115200/
• CVE-2025-9520: https://www.cve.org/cverecord?id=CVE-2025-9520
• CVE-2025-9521: https://www.cve.org/cverecord?id=CVE-2025-9521
• CVE-2025-9522: https://www.cve.org/cverecord?id=CVE-2025-9522

Conclusion

Security vulnerabilities are not exclusive to small or immature products. Even established vendors with dedicated internal security teams can benefit from independent testing and external research perspectives.

The vulnerabilities identified in Omada Controller are representative of the types of issues that structured security assessments are designed to uncover. These are not exotic attack techniques, but practical weaknesses that can have significant real-world impact when overlooked.

Mature vendors still benefit from independent testing.

At Thoropass, this research reflects the same methodology and depth we apply during client engagements. By continuously investing in hands-on security research, our team strengthens its ability to identify meaningful risks, validate exploitability, and provide actionable remediation guidance.

Security is an ongoing process. Independent assessment, responsible disclosure, and continuous improvement remain essential components in building and maintaining resilient systems.

‍