Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Tapo C200 V3 by TP-Link Systems Inc.

    CVE-2026-12760 (GCVE-0-2026-12760)

    Vulnerability from nvd – Published: 2026-06-24 18:10 – Updated: 2026-06-24 18:53
    VLAI
    Title
    Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
    Summary
    A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 v3 Affected: 0 , < 1.4.4 Build 250922 (custom)
    Create a notification for this product.
    Credits
    Arjan Chadha, Keysight Technologies
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T18:53:30.462879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T18:53:46.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Tapo C200 v3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.4.4 Build 250922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arjan Chadha, Keysight Technologies"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u0026nbsp; An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.\u003cdiv\u003eSuccessful exploitation can remotely trigger a temporary denial-of-service condition,\u0026nbsp;\u003cspan\u003ecausing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u00a0 An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,\u00a0causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125 Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T18:10:49.967Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5143/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-12760",
        "datePublished": "2026-06-24T18:10:49.967Z",
        "dateReserved": "2026-06-19T21:06:11.577Z",
        "dateUpdated": "2026-06-24T18:53:46.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8065 (GCVE-0-2025-8065)

    Vulnerability from nvd – Published: 2025-12-20 00:41 – Updated: 2026-04-03 16:50
    VLAI
    Title
    Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS
    Summary
    A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Tapo C520WS v2.6 Affected: 0 , < 1.2.4 Build 260326 Rel.24666n (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:07:36.027962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:07:49.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ONVIF Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C520WS v2.6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.2.4 Build 260326 Rel.24666n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer.  It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. \n\u003cbr\u003eAn unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer.  It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. \n\nAn unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T16:50:11.190Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-8065",
        "datePublished": "2025-12-20T00:41:56.823Z",
        "dateReserved": "2025-07-22T21:23:25.432Z",
        "dateUpdated": "2026-04-03T16:50:11.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14300 (GCVE-0-2025-14300)

    Vulnerability from nvd – Published: 2025-12-20 00:43 – Updated: 2026-04-03 21:39
    VLAI
    Title
    Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200
    Summary
    The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Tapo C100 v5 Affected: 0 , < V5_1.4.4 Build 260303 (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket) Azim Javed of CRAC Learning
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14300",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:11:04.458399Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:12:08.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ONVIF Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C100 v5",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V5_1.4.4 Build 260303",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Azim Javed of CRAC Learning"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device\u2019s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).\u003cbr\u003e"
                }
              ],
              "value": "The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device\u2019s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T21:39:17.347Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c100/v5/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-14300",
        "datePublished": "2025-12-20T00:43:39.476Z",
        "dateReserved": "2025-12-08T22:05:13.804Z",
        "dateUpdated": "2026-04-03T21:39:17.347Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14299 (GCVE-0-2025-14299)

    Vulnerability from nvd – Published: 2025-12-20 00:42 – Updated: 2025-12-22 16:08
    VLAI
    Title
    Improper Content-Length Validation in HTTPS Requests on Tapo C200
    Summary
    The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < C200(US)_V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14299",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:08:41.801519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:08:54.736Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "HTTPS Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "C200(US)_V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).\u003cbr\u003e"
                }
              ],
              "value": "The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-20T00:42:43.806Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Content-Length Validation in HTTPS Requests on Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-14299",
        "datePublished": "2025-12-20T00:42:43.806Z",
        "dateReserved": "2025-12-08T22:05:00.941Z",
        "dateUpdated": "2025-12-22T16:08:54.736Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12760 (GCVE-0-2026-12760)

    Vulnerability from cvelistv5 – Published: 2026-06-24 18:10 – Updated: 2026-06-24 18:53
    VLAI
    Title
    Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
    Summary
    A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of resources without limits or throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 v3 Affected: 0 , < 1.4.4 Build 250922 (custom)
    Create a notification for this product.
    Credits
    Arjan Chadha, Keysight Technologies
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T18:53:30.462879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T18:53:46.451Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "NVMP"
              ],
              "product": "Tapo C200 v3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.4.4 Build 250922",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arjan Chadha, Keysight Technologies"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u0026nbsp; An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.\u003cdiv\u003eSuccessful exploitation can remotely trigger a temporary denial-of-service condition,\u0026nbsp;\u003cspan\u003ecausing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.\u003c/span\u003e\u003c/div\u003e"
                }
              ],
              "value": "A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.\u00a0 An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,\u00a0causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-125",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-125 Flooding"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of resources without limits or throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T18:10:49.967Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/5143/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-12760",
        "datePublished": "2026-06-24T18:10:49.967Z",
        "dateReserved": "2026-06-19T21:06:11.577Z",
        "dateUpdated": "2026-06-24T18:53:46.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14300 (GCVE-0-2025-14300)

    Vulnerability from cvelistv5 – Published: 2025-12-20 00:43 – Updated: 2026-04-03 21:39
    VLAI
    Title
    Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200
    Summary
    The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    TP Link Systems Inc. Tapo C100 v5 Affected: 0 , < V5_1.4.4 Build 260303 (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket) Azim Javed of CRAC Learning
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14300",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:11:04.458399Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:12:08.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ONVIF Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C100 v5",
              "vendor": "TP Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V5_1.4.4 Build 260303",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Azim Javed of CRAC Learning"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device\u2019s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).\u003cbr\u003e"
                }
              ],
              "value": "The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device\u2019s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T21:39:17.347Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c100/v5/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-14300",
        "datePublished": "2025-12-20T00:43:39.476Z",
        "dateReserved": "2025-12-08T22:05:13.804Z",
        "dateUpdated": "2026-04-03T21:39:17.347Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14299 (GCVE-0-2025-14299)

    Vulnerability from cvelistv5 – Published: 2025-12-20 00:42 – Updated: 2025-12-22 16:08
    VLAI
    Title
    Improper Content-Length Validation in HTTPS Requests on Tapo C200
    Summary
    The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < C200(US)_V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14299",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:08:41.801519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:08:54.736Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "HTTPS Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "C200(US)_V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).\u003cbr\u003e"
                }
              ],
              "value": "The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-20T00:42:43.806Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Content-Length Validation in HTTPS Requests on Tapo C200",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-14299",
        "datePublished": "2025-12-20T00:42:43.806Z",
        "dateReserved": "2025-12-08T22:05:00.941Z",
        "dateUpdated": "2025-12-22T16:08:54.736Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8065 (GCVE-0-2025-8065)

    Vulnerability from cvelistv5 – Published: 2025-12-20 00:41 – Updated: 2026-04-03 16:50
    VLAI
    Title
    Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS
    Summary
    A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Tapo C200 V3 Affected: 0 , < V3_1.4.5 Build 251104 (custom)
    Create a notification for this product.
    TP-Link Systems Inc. Tapo C520WS v2.6 Affected: 0 , < 1.2.4 Build 260326 Rel.24666n (custom)
    Create a notification for this product.
    Credits
    Simone Margaritelli (evilsocket)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8065",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T16:07:36.027962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T16:07:49.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ONVIF Server"
              ],
              "product": "Tapo C200 V3",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "V3_1.4.5 Build 251104",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Tapo C520WS v2.6",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.2.4 Build 260326 Rel.24666n",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simone Margaritelli (evilsocket)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer.  It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. \n\u003cbr\u003eAn unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer.  It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. \n\nAn unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-03T16:50:11.190Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.tp-link.com/us/support/faq/4849/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2025-8065",
        "datePublished": "2025-12-20T00:41:56.823Z",
        "dateReserved": "2025-07-22T21:23:25.432Z",
        "dateUpdated": "2026-04-03T16:50:11.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }