Skip to main content

IoT CVE-2025-14300

HIGH
Missing Authentication for Critical Function (CWE-306)
2025-12-20 f23511db-6c3e-4e32-a477-6aa17d310630
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 03, 2026 - 22:22 vuln.today
CVE Published
Dec 20, 2025 - 01:16 nvd
HIGH 8.7

DescriptionCVE.org

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

AnalysisAI

Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries.

Technical ContextAI

The Tapo C200 V3 is a consumer-grade pan-tilt-zoom IP camera running embedded Linux firmware. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the HTTPS management service exposes a 'connectAP' API endpoint that accepts Wi-Fi configuration changes without requiring authentication credentials. According to CPE data, affected products span TP-Link Tapo C200 firmware builds from 1.3.3 (Build 230228, February 2023) through 1.4.1 (Build 241212, December 2024), representing nearly two years of vulnerable releases. The CVSS 4.0 vector (AV:A/AC:L/PR:N/UI:N) confirms adjacent network attack vector with low complexity and no privilege requirements, indicating the API accepts unauthenticated HTTP/HTTPS requests from any client on the same network segment. This architectural flaw allows manipulation of critical device configuration parameters-specifically SSID, authentication credentials, and connection settings-through unprotected REST endpoints, violating fundamental secure-by-design principles for IoT management interfaces.

RemediationAI

TP-Link has published patched firmware addressing CVE-2025-14300 per security advisory FAQ 4849. Tapo C200 V3 owners should immediately upgrade to the latest firmware release available at https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes, applying updates through the Tapo mobile application (Settings > Device Settings > Firmware Update) or web management interface. Verify post-update firmware build number exceeds 241212 to confirm patch application. Organizations unable to immediately patch should implement network segmentation controls: isolate Tapo cameras on dedicated VLAN segments with strict inter-VLAN routing policies preventing adjacent network access from untrusted clients, disable HTTPS management interfaces if remote administration is unnecessary, and deploy 802.1X port-based authentication or MAC address filtering to restrict Layer 2 access to camera subnets. For high-security deployments, consider replacing affected devices with enterprise-grade IP cameras offering role-based access control and authenticated API endpoints until vendor patch deployment is verified through penetration testing. Monitor network traffic for unusual HTTP POST requests to /connectAP endpoints as potential indicators of exploitation attempts.

More in IoT

View all
CVE-2025-45988 CRITICAL POC
9.8 Jun 13

A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-29128 CRITICAL POC
10.0 Mar 05

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

CVE-2025-63624 CRITICAL POC
9.8 Feb 03

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the

CVE-2026-25139 CRITICAL POC
9.1 Feb 04

RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o

CVE-2025-5875 HIGH POC
8.8 Jun 09

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available

CVE-2025-34023 HIGH POC
8.5 Jun 20

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth

CVE-2025-48466 HIGH POC
8.1 Jun 24

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

CVE-2026-27177 HIGH POC
7.2 Feb 18

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in

CVE-2025-7503 CRITICAL
10.0 Jul 11

CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect

CVE-2025-64090 CRITICAL
10.0 Jan 09

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

CVE-2026-1633 CRITICAL
10.0 Feb 04

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)

CVE-2025-40805 CRITICAL
10.0 Jan 13

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc

Share

CVE-2025-14300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy