Skip to main content

Tapo C520WS v2 CVE-2026-6241

| EUVDEUVD-2026-34936 MEDIUM
Use of Externally-Controlled Format String (CWE-134)
2026-06-05 TPLink GHSA-pmj5-p8gw-hpgq
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:34 vuln.today
CVSS changed
Jun 06, 2026 - 00:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.

Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.

AnalysisAI

Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.

Technical ContextAI

The Tapo C520WS v2 is a TP-Link IP surveillance camera that implements the ONVIF (Open Network Video Interface Forum) protocol for standardized device interoperability and management. The vulnerable component is the ONVIF AddScopes operation, which allows authenticated clients to append scope URIs to the device's scope list. CWE-134 (Use of Externally-Controlled Format String) identifies the root cause: user-supplied scope strings are passed directly to a printf-family formatting function without sanitization, enabling injection of format specifiers such as %s, %x, or %n. This class of vulnerability allows an attacker to manipulate stack or heap memory layout; in this instance the primary confirmed outcome is a service crash. The affected product is confirmed by CPE cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:*, where the wildcard version field indicates all firmware versions of the Tapo C520WS v2 hardware revision are potentially within scope.

RemediationAI

A vendor-released patch is available from TP-Link. Administrators should update the Tapo C520WS v2 firmware to the latest available version via TP-Link's official firmware download pages at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes (US) or https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes (global), and consult the security advisory at https://www.tp-link.com/us/support/faq/5120/. The exact patched firmware version number is not independently confirmed from the available data - verify the specific build against the advisory before deployment. As compensating controls prior to patching: disable ONVIF entirely if it is not operationally required, as this removes the attack surface completely; restrict ONVIF protocol access to dedicated trusted management VLANs to enforce the adjacent-network constraint in a way that excludes untrusted users; and enforce strict, unique administrative credential policies since PR:H means no exploitation is possible without authenticated high-privilege access. Note that disabling ONVIF may break third-party NVR or VMS integrations that rely on the protocol for discovery and management.

Share

CVE-2026-6241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy