CVE-2025-14300

HIGH
2025-12-20 f23511db-6c3e-4e32-a477-6aa17d310630
8.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 03, 2026 - 22:22 vuln.today
CVE Published
Dec 20, 2025 - 01:16 nvd
HIGH 8.7

Tags

TP-Link IoT Authentication Bypass Denial Of Service Tapo C200 Firmware

Description

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

Analysis

Missing authentication on the HTTPS connectAP interface in TP-Link Tapo C200 V3 firmware (versions 1.3.3 through 1.4.1) allows adjacent network attackers to remotely reconfigure device Wi-Fi settings, causing permanent denial-of-service until manual intervention. The vulnerability exploits CWE-306 (Missing Authentication for Critical Function) with CVSS 8.7 severity, requiring only adjacent network access with low attack complexity and no user interaction. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the technical barrier is minimal for LAN-positioned adversaries.

Technical Context

The Tapo C200 V3 is a consumer-grade pan-tilt-zoom IP camera running embedded Linux firmware. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the HTTPS management service exposes a 'connectAP' API endpoint that accepts Wi-Fi configuration changes without requiring authentication credentials. According to CPE data, affected products span TP-Link Tapo C200 firmware builds from 1.3.3 (Build 230228, February 2023) through 1.4.1 (Build 241212, December 2024), representing nearly two years of vulnerable releases. The CVSS 4.0 vector (AV:A/AC:L/PR:N/UI:N) confirms adjacent network attack vector with low complexity and no privilege requirements, indicating the API accepts unauthenticated HTTP/HTTPS requests from any client on the same network segment. This architectural flaw allows manipulation of critical device configuration parameters-specifically SSID, authentication credentials, and connection settings-through unprotected REST endpoints, violating fundamental secure-by-design principles for IoT management interfaces.

Affected Products

TP-Link Tapo C200 V3 IP cameras running firmware versions 1.3.3 Build 230228 (February 2023) through 1.4.1 Build 241212 (December 2024) are confirmed vulnerable per CPE product identifiers cpe:2.3:o:tp-link:tapo_c200_firmware across ten distinct build releases. The vulnerability affects hardware revision V3 of the Tapo C200 model specifically; compatibility with Tapo C100 V5 is suggested by vendor advisory cross-references but not explicitly confirmed in CPE data. All vulnerable firmware versions expose the unauthenticated connectAP interface through the device's HTTPS management service, typically accessible on TCP port 443 at the camera's LAN IP address. Vendor advisories and firmware release notes are available at https://www.tp-link.com/us/support/download/tapo-c200/v3/ with security bulletin details at https://www.tp-link.com/us/support/faq/4849/.

Remediation

TP-Link has published patched firmware addressing CVE-2025-14300 per security advisory FAQ 4849. Tapo C200 V3 owners should immediately upgrade to the latest firmware release available at https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes, applying updates through the Tapo mobile application (Settings > Device Settings > Firmware Update) or web management interface. Verify post-update firmware build number exceeds 241212 to confirm patch application. Organizations unable to immediately patch should implement network segmentation controls: isolate Tapo cameras on dedicated VLAN segments with strict inter-VLAN routing policies preventing adjacent network access from untrusted clients, disable HTTPS management interfaces if remote administration is unnecessary, and deploy 802.1X port-based authentication or MAC address filtering to restrict Layer 2 access to camera subnets. For high-security deployments, consider replacing affected devices with enterprise-grade IP cameras offering role-based access control and authenticated API endpoints until vendor patch deployment is verified through penetration testing. Monitor network traffic for unusual HTTP POST requests to /connectAP endpoints as potential indicators of exploitation attempts.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-14300 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy