TP-LINK has issued a security advisory about multiple vulnerabilities in its Omada Controller software, with the most severe IDOR flaw potentially allowing a malicious administrator to hijack the primary Owner account and seize full control of the network management plane.
The trio of issues includes CVE-2025-9520, an IDOR vulnerability with a CVSS score of 8.3 (High) that enables manipulation of the platform’s hierarchy, CVE-2025-9521, a Password Confirmation Bypass rated Low severity, and CVE-2025-9522, a Medium-severity Blind Server-Side Request Forgery affecting the webhook functionality.
According to the advisory, exploitation of the 9520 flaw results in the “Full takeover of the Owner account, granting complete administrative control over Omada Controller and connected services.” A separate flaw allows a valid session–bearing attacker to bypass secondary verification and change passwords, weakening account security. Administrators are advised to review the affected versions and apply updates promptly to close these gaps.