High-Severity IDOR Flaw Lets Admins Hijack TP-Link Omada Owner Accounts

TP-Link has issued a security advisory regarding multiple vulnerabilities discovered in its Omada Controller software, a popular centralized management platform for business networking. The most severe among them could allow a malicious administrator to hijack the primary “Owner” account, effectively seizing total control of the network infrastructure.

The advisory details three distinct vulnerabilities, ranging from high-severity account takeover risks to lower-severity logical bypasses.

The most critical flaw, tracked as CVE-2025-9520, carries a CVSS score of 8.3 (High). It is an Insecure Direct Object Reference (IDOR) vulnerability that exposes the platform’s hierarchy to manipulation.

In the Omada ecosystem, the “Owner” account holds the ultimate keys to the kingdom. However, researchers found that a user with “Administrator” permissions—a step below the Owner—could manipulate requests to hijack this supreme account.

According to the advisory, exploitation results in the “Full takeover of the Owner account, granting complete administrative control over Omada Controller and connected services”. This effectively allows a rogue admin or a compromised admin account to lock out the actual owner and commandeer the entire network management plane.

The second vulnerability, CVE-2025-9521, highlights a flaw in the platform’s authentication logic. Rated as Low severity (CVSS 2.1), this “Password Confirmation Bypass” vulnerability undermines the safeguards intended to prevent unauthorized changes.

The report notes that “An attacker with a valid session token may be able to bypass secondary verification and change the user’s password without proper confirmation, leading to weakened account security”. While it requires a valid session to exploit, it removes a critical layer of defense against account tampering.

The third flaw is CVE-2025-9522, a Blind Server-Side Request Forgery (SSRF) vulnerability rated as Medium severity (CVSS 5.1). This flaw resides in the controller’s webhook functionality.

By crafting specific requests, an attacker could trick the server into communicating with internal services it shouldn’t access. The advisory warns that “It may allow enumeration of information,” potentially helping an attacker map out the internal network architecture for further attacks.

While the vulnerabilities require some level of access—either as an Administrator (for the takeover) or a user with a valid session—the impact of CVE-2025-9520 makes this a priority patch for organizations using Omada Controllers.

Administrators are advised to review the specific affected versions in the full advisory and apply updates immediately to close these security gaps.

Related Posts:

• Critical TP-Link Omada Gateway Flaw (CVE-2025-6542, CVSS 9.3) Allows Unauthenticated Remote Command Execution
• Core Banking System Flaw: Apache Fineract IDOR Risks Authorization Bypass & Customer Data Access
• No Patch, Full Exploit: CVSS 9.9 RCE & IDOR Flaws in InnoShop eCommerce Platform