Skip to main content

Kasa Camera CVE-2026-9770

| EUVDEUVD-2026-44576 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-07-15 TPLink GHSA-q3g3-7q7p-5jwv
8.6
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
8.6 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Adjacent-network only (AV:A) with no auth or interaction; shared key enables both traffic decryption (C:H) and active MITM tampering (I:H), no availability impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 01:15 vuln.today
CVE Published
Jul 15, 2026 - 00:21 cve.org
HIGH 8.6

DescriptionCVE.org

Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem that is shared across devices.  An attacker with access to the firmware image can extract the embedded key.

Successful exploitation may allow an unauthenticated attacker on the same network to use this key in the web management service, compromising the confidentiality of encrypted communications. This may enable passive decryption of traffic or active man-in-the-middle (MITM) attacks

AnalysisAI

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain EC71/EC70 firmware image
Delivery
Extract shared static private key
Exploit
Gain adjacent-network position
Execution
Intercept web management TLS session
Persist
Decrypt or MITM traffic
Impact
Compromise confidentiality/integrity

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target device to run vulnerable Kasa EC71 v4 or EC70 v4 firmware containing the shared static key, and (2) the attacker to be positioned on the same adjacent/local network as the camera (CVSS AV:A) - remote internet exploitation is NOT indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are broadly consistent and point to a genuine but access-limited issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who joins the same Wi-Fi/LAN as a Kasa EC71 v4 or EC70 v4 camera - for example on a shared office, apartment, or guest network - extracts the static private key from a publicly obtainable firmware image beforehand. Using that key against the camera's web management service, they either passively decrypt captured session traffic or actively insert themselves as a man-in-the-middle to read and tamper with the management channel, all without any credentials. …
Remediation Patch available per vendor advisory: apply the corrected TP-Link firmware for the EC71 v4 and EC70 v4 from the official release notes (https://www.tp-link.com/us/support/download/ec71/v4/#Firmware-Release-Notes and https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes; guidance at https://www.tp-link.com/us/support/faq/5192/) - the exact fixed build number is not stated in the input data and should be confirmed against those release notes before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all deployed TP-Link Kasa EC71 v4 and EC70 v4 cameras and confirm their network accessibility and connectivity status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy