Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.
Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
AnalysisAI
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.
Technical ContextAI
The Tapo C520WS v2 is a TP-Link IP surveillance camera that implements the ONVIF (Open Network Video Interface Forum) protocol for standardized device interoperability and management. The vulnerable component is the ONVIF AddScopes operation, which allows authenticated clients to append scope URIs to the device's scope list. CWE-134 (Use of Externally-Controlled Format String) identifies the root cause: user-supplied scope strings are passed directly to a printf-family formatting function without sanitization, enabling injection of format specifiers such as %s, %x, or %n. This class of vulnerability allows an attacker to manipulate stack or heap memory layout; in this instance the primary confirmed outcome is a service crash. The affected product is confirmed by CPE cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:*, where the wildcard version field indicates all firmware versions of the Tapo C520WS v2 hardware revision are potentially within scope.
RemediationAI
A vendor-released patch is available from TP-Link. Administrators should update the Tapo C520WS v2 firmware to the latest available version via TP-Link's official firmware download pages at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes (US) or https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes (global), and consult the security advisory at https://www.tp-link.com/us/support/faq/5120/. The exact patched firmware version number is not independently confirmed from the available data - verify the specific build against the advisory before deployment. As compensating controls prior to patching: disable ONVIF entirely if it is not operationally required, as this removes the attack surface completely; restrict ONVIF protocol access to dedicated trusted management VLANs to enforce the adjacent-network constraint in a way that excludes untrusted users; and enforce strict, unique administrative credential policies since PR:H means no exploitation is possible without authenticated high-privilege access. Note that disabling ONVIF may break third-party NVR or VMS integrations that rely on the protocol for discovery and management.
More in Tapo C520Ws V2
View allDenial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render th
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to exec
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the s
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to c
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authentic
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34936
GHSA-pmj5-p8gw-hpgq