How to fix CVE-2025-8065?

Within 24 hours: Identify and inventory all TP-Link Tapo C200 v3 (firmware ≤1.4.1) and C520WS v2.6 cameras in your environment using network scanning tools; isolate affected cameras to separate VLANs with restricted network access. Within 7 days: Check TP-Link support portal for firmware updates beyond 1.4.1 (C200) and 2.6 (C520WS); if available, apply immediately; if unavailable, evaluate replacing devices with patched alternatives or discontinuing use. Within 30 days: Establish a vendor patch monitoring process and deploy network segmentation rules limiting camera access to trusted management interfaces only.

Is Stack Overflow affected by CVE-2025-8065?

TP-Link Tapo C200 and C520WS cameras contain a critical unauthenticated remote code execution vulnerability in their SOAP XML parser that allows attackers on adjacent networks to fully compromise devices without credentials.

CVE-2025-8065

HIGH

2025-12-20 f23511db-6c3e-4e32-a477-6aa17d310630

8.7

CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 02, 2026 - 18:22 vuln.today

CVE Published

Dec 20, 2025 - 01:16 nvd

HIGH 8.7

Description

A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.

Analysis

Stack-based buffer overflow in the ONVIF SOAP XML parser of TP-Link Tapo C200 v3 (firmware ≤1.4.1) and C520WS v2.6 cameras enables unauthenticated remote code execution from adjacent networks. Attackers can send crafted SOAP requests with oversized namespace prefixes to trigger memory corruption and achieve full device compromise with elevated privileges. EPSS probability and KEV status indicate no public exploit identified at time of analysis, though the vulnerability affects widely deployed consumer IoT cameras with network exposure.

Technical Context

This vulnerability (CWE-121: Stack-based Buffer Overflow) resides in the ONVIF SOAP XML parser implementation used by TP-Link Tapo security cameras. ONVIF is an industry-standard protocol for IP camera interoperability, using SOAP-based web services for device management and control. The parser fails to validate the length of XML namespace prefixes before copying them into fixed-size stack buffers during tag processing. When a maliciously crafted SOAP message contains an oversized namespace prefix, the unbounded copy operation overflows the stack buffer, corrupting adjacent memory regions. This memory corruption can be leveraged to overwrite return addresses or function pointers, enabling arbitrary code execution in the context of the camera's firmware process. Affected products per CPE data include TP-Link Tapo C200 firmware versions 1.3.3 through 1.4.1 (builds 230228 through 241212) running on Tapo C200 v3 hardware, indicating over 10 firmware releases spanning nearly two years contain this flaw. The vulnerability is exploitable through the camera's ONVIF service interface, typically exposed on the local network for integration with video management systems and smart home platforms.

Affected Products

TP-Link Tapo C200 version 3 hardware running firmware versions 1.3.3 build 230228 through 1.4.1 build 241212 is confirmed affected, spanning releases from February 2023 through December 2024. TP-Link Tapo C520WS version 2.6 hardware is also vulnerable, though specific firmware version ranges for this model are not detailed in available CPE data. These are consumer-grade pan-tilt-zoom security cameras with ONVIF protocol support for third-party integration. The vulnerability exists in all firmware builds listed in the CPE strings, indicating TP-Link shipped this parsing flaw across multiple product iterations and updates throughout 2023-2024. Vendor advisory and firmware release notes are available at the TP-Link support portal per reference links provided.

Remediation

Users should immediately update to patched firmware versions available from TP-Link's official support portal. For Tapo C200 v3, download the latest firmware from https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes and for Tapo C520WS from https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes. Apply updates through the Tapo mobile app or web management interface following vendor instructions at https://www.tp-link.com/us/support/faq/4849/. As a temporary mitigation until patching, isolate affected cameras on a dedicated VLAN with strict firewall rules preventing lateral movement, disable ONVIF protocol support if not required for integration, and restrict camera network access to only trusted management systems. Organizations should audit which devices require ONVIF functionality and consider disabling it entirely on cameras used solely with the Tapo native app. Network segmentation is critical given the adjacent-network attack vector-ensure IoT cameras cannot reach or be reached from corporate workstation networks.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-8065 vulnerability details – vuln.today

Back

CVE-2025-8065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-8065

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code