Tapo C200 CVE-2025-8065
HIGHCVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack.
An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.
AnalysisAI
Stack-based buffer overflow in the ONVIF SOAP XML parser of TP-Link Tapo C200 v3 (firmware ≤1.4.1) and C520WS v2.6 cameras enables unauthenticated remote code execution from adjacent networks. Attackers can send crafted SOAP requests with oversized namespace prefixes to trigger memory corruption and achieve full device compromise with elevated privileges. EPSS probability and KEV status indicate no public exploit identified at time of analysis, though the vulnerability affects widely deployed consumer IoT cameras with network exposure.
Technical ContextAI
This vulnerability (CWE-121: Stack-based Buffer Overflow) resides in the ONVIF SOAP XML parser implementation used by TP-Link Tapo security cameras. ONVIF is an industry-standard protocol for IP camera interoperability, using SOAP-based web services for device management and control. The parser fails to validate the length of XML namespace prefixes before copying them into fixed-size stack buffers during tag processing. When a maliciously crafted SOAP message contains an oversized namespace prefix, the unbounded copy operation overflows the stack buffer, corrupting adjacent memory regions. This memory corruption can be leveraged to overwrite return addresses or function pointers, enabling arbitrary code execution in the context of the camera's firmware process. Affected products per CPE data include TP-Link Tapo C200 firmware versions 1.3.3 through 1.4.1 (builds 230228 through 241212) running on Tapo C200 v3 hardware, indicating over 10 firmware releases spanning nearly two years contain this flaw. The vulnerability is exploitable through the camera's ONVIF service interface, typically exposed on the local network for integration with video management systems and smart home platforms.
RemediationAI
Users should immediately update to patched firmware versions available from TP-Link's official support portal. For Tapo C200 v3, download the latest firmware from https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes and for Tapo C520WS from https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes. Apply updates through the Tapo mobile app or web management interface following vendor instructions at https://www.tp-link.com/us/support/faq/4849/. As a temporary mitigation until patching, isolate affected cameras on a dedicated VLAN with strict firewall rules preventing lateral movement, disable ONVIF protocol support if not required for integration, and restrict camera network access to only trusted management systems. Organizations should audit which devices require ONVIF functionality and consider disabling it entirely on cameras used solely with the Tapo native app. Network segmentation is critical given the adjacent-network attack vector-ensure IoT cameras cannot reach or be reached from corporate workstation networks.
Share
External POC / Exploit Code
Leaving vuln.today