Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-network ONVIF service requiring valid low-privileged camera credentials; no confidentiality loss, but factory reset yields high integrity and availability impact with no scope change.
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses.
A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.
AnalysisAI
Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Technical ContextAI
The Tapo C110 v2 is a TP-Link Wi-Fi home security camera that exposes an ONVIF (Open Network Video Interface Forum) service for standardized IP-camera management over the local network. CWE-134 (Use of Externally-Controlled Format String) occurs when user-supplied input is passed directly as the format string argument to a printf-family function; format specifiers such as %x, %s, and %n then read or write arbitrary stack memory. In this case the ONVIF request handler interprets attacker-controlled data as a format string, enabling targeted writes against stack-resident control-flow data including saved return addresses. Because the CPE scope is limited to tp-link_systems_inc:tapo_c110_v2 (all firmware up to the patched release), only this specific camera SKU/hardware revision is confirmed in-scope.
RemediationAI
Patch available per vendor advisory: update Tapo C110 v2 firmware to the fixed release published by TP-Link via the Tapo app or the firmware page at https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes (regional mirrors: /en/ and /kr/), and review TP-Link advisory https://www.tp-link.com/us/support/faq/5128/ for the exact fixed version. Until firmware is applied, isolate cameras on a dedicated IoT VLAN or Wi-Fi SSID that blocks lateral access from untrusted clients, and restrict ONVIF (typically TCP/2020 or vendor-specific port) to known NVR/management hosts only - note that this will break third-party ONVIF clients and home-automation integrations that rely on the same port. Rotate camera account passwords and remove any shared low-privileged Tapo accounts, since exploitation requires valid credentials; avoid disabling ONVIF entirely unless you do not use any ONVIF integrations, as it will also break legitimate NVR recording.
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36326
GHSA-4gmj-9m2m-6h5f