Skip to main content

Tapo C520WS v2 CVE-2026-6242

| EUVDEUVD-2026-34937 MEDIUM
Use of Externally-Controlled Format String (CWE-134)
2026-06-05 TPLink GHSA-m9ww-xwm5-pf57
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:35 vuln.today
CVSS changed
Jun 06, 2026 - 00:22 NVD
6.8 (MEDIUM)

DescriptionCVE.org

An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.

Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.

AnalysisAI

Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.

Technical ContextAI

The Tapo C520WS v2 is a TP-Link Wi-Fi security camera implementing the ONVIF (Open Network Video Interface Forum) protocol, an industry standard for IP camera interoperability. The ONVIF Subscribe service handles event subscription lifecycle and notification delivery between the camera and upstream management clients such as NVR software. CWE-134 (Use of Externally-Controlled Format String) describes the root cause class: user-supplied data is passed insufficiently sanitized into a C-style format function (e.g., printf family), allowing an attacker to inject format specifiers like %s or %n that manipulate stack reads and cause service crashes or potentially arbitrary memory corruption. The CPE string cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:* with a wildcard version field confirms all firmware versions of the v2 hardware line are affected prior to the patch. The CVSS 4.0 adjacent network vector (AV:A) is consistent with ONVIF services being LAN-scoped and not directly internet-routable in standard deployments.

RemediationAI

The primary fix is to update the Tapo C520WS v2 to the latest firmware version available from TP-Link's official download page at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes and consult the advisory at https://www.tp-link.com/us/support/faq/5120/ for confirmed patched version details. Note: the exact patched firmware version number is not specified in currently available advisory data - apply the most recent release listed and verify against the release notes. As compensating controls while patching, administrators should restrict network access to the camera's ONVIF service port (typically TCP 80/8080 and RTSP 554) via VLAN segmentation or firewall ACLs, limiting reachability to trusted NVR hosts only - this addresses the AV:A prerequisite and raises the bar significantly. Enforcing strong, unique administrative credentials removes the PR:H prerequisite for opportunistic attackers. Disabling ONVIF event subscription entirely eliminates the attack surface but will break third-party NVR event integration as a side effect.

Share

CVE-2026-6242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy