Skip to main content

Tapo C520WS CVE-2026-6239

| EUVDEUVD-2026-34934 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-05 TPLink GHSA-cpjh-84vm-rvxf
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:33 vuln.today
CVSS changed
Jun 06, 2026 - 00:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption.

Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denial‑of‑service (DoS) condition that disrupts device configuration and management functions.

AnalysisAI

Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.

Technical ContextAI

The TP-Link Tapo C520WS v2 is a consumer-grade outdoor IP camera that implements the ONVIF (Open Network Video Interface Forum) protocol for standardized management interoperability, including the CreateUsers service for provisioning camera accounts via XML-formatted SOAP requests. CWE-121 (Stack-Based Buffer Overflow) identifies the root cause class: the firmware allocates a fixed-size stack buffer to hold parsed XML user node data from the ONVIF CreateUsers request body, but fails to bound-check the number of user entries supplied. Submitting an excessive node count overflows the stack frame, corrupting return addresses or local state and causing the ONVIF service process to terminate. This pattern - insufficient XML input validation in embedded network-facing services - is a recurring weakness in IoT/camera firmware, typically arising from constrained development environments without stack canaries or bounds-checking libraries. The affected CPE is cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:*.

RemediationAI

Apply the latest Tapo C520WS v2 firmware update from the TP-Link official download page (https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes or https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes) and review the vendor security advisory at https://www.tp-link.com/us/support/faq/5120/ for exact patched version details; the specific fixed firmware build number was not present in available intelligence and must be confirmed against the release notes before deployment. As a compensating control prior to patching, isolate the camera on a dedicated IoT VLAN with firewall rules preventing cross-segment ONVIF access, which eliminates the adjacent-network exposure (AV:A) and fully mitigates remote exploitation at the cost of potentially disrupting cross-VLAN NVR/VMS integrations. If ONVIF functionality is not required for your deployment, disabling the ONVIF service entirely removes the attack surface with no impact on basic camera operation but will break third-party ONVIF-compatible management tools. Additionally, audit and minimize the number of accounts with high-privilege access to the device, as PR:H is a hard prerequisite for exploitation.

Share

CVE-2026-6239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy