Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.
Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
AnalysisAI
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Technical ContextAI
The Tapo C520WS v2 is a TP-Link Wi-Fi security camera implementing the ONVIF (Open Network Video Interface Forum) protocol, an industry standard for IP camera interoperability. The ONVIF Subscribe service handles event subscription lifecycle and notification delivery between the camera and upstream management clients such as NVR software. CWE-134 (Use of Externally-Controlled Format String) describes the root cause class: user-supplied data is passed insufficiently sanitized into a C-style format function (e.g., printf family), allowing an attacker to inject format specifiers like %s or %n that manipulate stack reads and cause service crashes or potentially arbitrary memory corruption. The CPE string cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2:*:*:*:*:*:*:*:* with a wildcard version field confirms all firmware versions of the v2 hardware line are affected prior to the patch. The CVSS 4.0 adjacent network vector (AV:A) is consistent with ONVIF services being LAN-scoped and not directly internet-routable in standard deployments.
RemediationAI
The primary fix is to update the Tapo C520WS v2 to the latest firmware version available from TP-Link's official download page at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes and consult the advisory at https://www.tp-link.com/us/support/faq/5120/ for confirmed patched version details. Note: the exact patched firmware version number is not specified in currently available advisory data - apply the most recent release listed and verify against the release notes. As compensating controls while patching, administrators should restrict network access to the camera's ONVIF service port (typically TCP 80/8080 and RTSP 554) via VLAN segmentation or firewall ACLs, limiting reachability to trusted NVR hosts only - this addresses the AV:A prerequisite and raises the bar significantly. Enforcing strong, unique administrative credentials removes the PR:H prerequisite for opportunistic attackers. Disabling ONVIF event subscription entirely eliminates the attack surface but will break third-party NVR event integration as a side effect.
More in Tapo C520Ws V2
View allDenial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render th
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to exec
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an a
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to c
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authentic
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34937
GHSA-m9ww-xwm5-pf57