CVE-2025-9293 PUBLISHED

Insufficient Certificate Validation in Multiple Mobile Applications Allows Man in the Middle Interception

Assigner: TPLink
Reserved: 20.08.2025 Published: 13.02.2026 Updated: 13.02.2026

A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N
CVSS Score: 7.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	Tapo App
Versions	Default: unaffected affected from 0 to 3.14.111 (excl.)

Vendor	TP-Link Systems Inc.
Product	Kasa App
Versions	Default: unaffected affected from 0 to 3.4.350 (excl.)

Vendor	TP Link Systems Inc.
Product	Omada App
Versions	Default: unaffected affected from 0 to 4.25.25 (excl.)

Vendor	TP-Link Systems Inc.
Product	Omada Guard
Versions	Default: unaffected affected from 0 to 1.1.28 (excl.)

Vendor	TP-Link Systems Inc.
Product	Tether App
Versions	Default: unaffected affected from 0 to 4.12.27 (excl.)

Vendor	TP-Link Systems Inc.
Product	Deco App
Versions	Default: unaffected affected from 0 to 3.9.163 (excl.)

Vendor	TP-Link Systems Inc.
Product	Aginet App
Versions	Default: unaffected affected from 0 to 2.13.6 (excl.)

Vendor	TP-Link Systems Inc.
Product	tpCamera App
Versions	Default: unaffected affected from 0 to 3.2.17 (excl.)

Vendor	TP-Link Systems Inc.
Product	WiFi Toolkit
Versions	Default: unaffected affected from 0 to 1.4.28 (excl.)

Vendor	TP-Link Systems Inc.
Product	Festa App
Versions	Default: unaffected affected from 0 to 1.7.1 (excl.)

Vendor	TP-Link Systems Inc.
Product	Wi-Fi Navi
Versions	Default: unaffected affected from 0 to 1.5.5 (excl.)

Vendor	TP-Link Systems Inc.
Product	KidShield
Versions	Default: unaffected affected from 0 to 1.1.21 (excl.)

Vendor	TP-Link Systems Inc.
Product	TP-Partner App
Versions	Default: unaffected affected from 0 to 2.0.1 (excl.)

Vendor	TP-Link Systems Inc.
Product	VIGI App
Versions	Default: unaffected affected from 0 to 2.7.70 (excl.)

Credits

Francesco La Spina, Stanislav Dashevskyi from Forescout Technologies finder

References

https://www.tp-link.com/us/support/faq/4969/

Problem Types

CWE-295 Improper Certificate Validation CWE

Impacts

CAPEC-94 Adversary in the Middle (AiTM)