Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-network attacker (AV:A) sends fragments with no auth or interaction (AC:L/PR:N/UI:N); impact is availability-only (A:H) with no confidentiality or integrity loss and no scope change.
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
AnalysisAI
Remote denial-of-service in the TP-Link Tapo C200 v3 home security camera allows an unauthenticated attacker on the adjacent network to crash or destabilize the device by sending malformed IPv4 fragmented packets. Exploitation drives excessive resource consumption (CWE-770) and renders the camera unresponsive, causing intermittent loss of live video monitoring and recording. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be on the adjacent network (AV:A) - the same local/Wi-Fi broadcast segment as the camera - and to send crafted IPv4 fragmented packets to the device; no authentication, credentials, or user interaction is needed (PR:N/UI:N), and no special camera feature or non-default configuration is called out as a prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H, base 7.1) is internally consistent with the description: adjacent attack surface, low complexity, no privileges or user interaction, and an availability-only impact (VA:H) with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained access to the same Wi-Fi network as the camera - for example via a weak Wi-Fi password or another compromised device on the LAN - sends a stream of crafted, malformed IPv4 fragmented packets to the Tapo C200 v3. The camera's packet handling logic exhausts memory or CPU reassembling the fragments and becomes unresponsive, dropping live video and recording for the duration of the attack. … |
| Remediation | Patch available per vendor advisory: update the Tapo C200 v3 to the latest firmware listed in TP-Link's release notes (https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes or the EN mirror), as an exact fixed build number was not provided in the input - confirm the current version against those release notes before and after updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployed TP-Link Tapo C200 v3 cameras and evaluate their criticality to physical security operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39026
GHSA-25hh-rw6j-95ch