Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption.
Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denial‑of‑service (DoS) condition that disrupts device configuration and management functions.
AnalysisAI
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Technical ContextAI
The TP-Link Tapo C520WS v2 is a consumer-grade outdoor IP camera that implements the ONVIF (Open Network Video Interface Forum) protocol for standardized management interoperability, including the CreateUsers service for provisioning camera accounts via XML-formatted SOAP requests. CWE-121 (Stack-Based Buffer Overflow) identifies the root cause class: the firmware allocates a fixed-size stack buffer to hold parsed XML user node data from the ONVIF CreateUsers request body, but fails to bound-check the number of user entries supplied. Submitting an excessive node count overflows the stack frame, corrupting return addresses or local state and causing the ONVIF service process to terminate. This pattern - insufficient XML input validation in embedded network-facing services - is a recurring weakness in IoT/camera firmware, typically arising from constrained development environments without stack canaries or bounds-checking libraries. The affected CPE is cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:*.
RemediationAI
Apply the latest Tapo C520WS v2 firmware update from the TP-Link official download page (https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes or https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes) and review the vendor security advisory at https://www.tp-link.com/us/support/faq/5120/ for exact patched version details; the specific fixed firmware build number was not present in available intelligence and must be confirmed against the release notes before deployment. As a compensating control prior to patching, isolate the camera on a dedicated IoT VLAN with firewall rules preventing cross-segment ONVIF access, which eliminates the adjacent-network exposure (AV:A) and fully mitigates remote exploitation at the cost of potentially disrupting cross-VLAN NVR/VMS integrations. If ONVIF functionality is not required for your deployment, disabling the ONVIF service entirely removes the attack surface with no impact on basic camera operation but will break third-party ONVIF-compatible management tools. Additionally, audit and minimize the number of accounts with high-privilege access to the device, as PR:H is a hard prerequisite for exploitation.
More in Tapo C520Ws V2
View allDenial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render th
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to exec
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the s
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an a
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to c
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34934
GHSA-cpjh-84vm-rvxf