Skip to main content

Tapo C520WS v2 CVE-2026-6240

| EUVDEUVD-2026-34935 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-05 TPLink GHSA-qv33-m6vq-mqmr
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:34 vuln.today
CVSS changed
Jun 06, 2026 - 00:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.

Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.

AnalysisAI

Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.

Technical ContextAI

The affected product is the TP-Link Tapo C520WS v2 IP camera, identified by CPE cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:*, which implements the ONVIF (Open Network Video Interface Forum) protocol - an industry-standard management interface for interoperable IP camera control commonly exposed on local networks. The vulnerability is classified as CWE-121 (Stack-Based Buffer Overflow): the ONVIF DeleteUsers service handler fails to enforce boundary checks on the count of user identifier elements supplied in a single request. When an attacker provides an abnormally large array of identifiers, the data is copied onto the stack without size validation, overflowing the allocated stack frame, corrupting the call stack, and causing the service process to crash or enter a deadlock state. Because ONVIF is a locally-facing management protocol rather than an internet-exposed interface, the attack surface is constrained to adjacent network segments.

RemediationAI

A patch is available per the TP-Link vendor advisory. Update the Tapo C520WS v2 firmware to the latest available version using the official TP-Link firmware release notes page for the US region (https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes) or international region (https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes). Additional TP-Link security guidance is available at https://www.tp-link.com/us/support/faq/5120/. Importantly, the exact patched firmware version number is not specified in the provided data - verify the changelog before deployment. As a compensating control prior to patching, restrict ONVIF service access to only explicitly trusted management hosts by enforcing network-level ACLs or VLAN isolation on camera segments; this directly limits the adjacent-vector attack surface but requires firewall or switch configuration effort. If ONVIF is not operationally required, disabling the ONVIF interface entirely eliminates this attack surface, though doing so will break any third-party VMS or NVR integrations relying on the protocol. Enforce strong, unique administrator credentials on all camera devices to raise the effective cost of the required PR:H prerequisite.

Share

CVE-2026-6240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy