Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-network only (AV:A) with no auth or interaction; shared key enables both traffic decryption (C:H) and active MITM tampering (I:H), no availability impact.
Primary rating from Vendor (TPLink).
CVSS VectorVendor: TPLink
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem that is shared across devices. An attacker with access to the firmware image can extract the embedded key.
Successful exploitation may allow an unauthenticated attacker on the same network to use this key in the web management service, compromising the confidentiality of encrypted communications. This may enable passive decryption of traffic or active man-in-the-middle (MITM) attacks
AnalysisAI
Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target device to run vulnerable Kasa EC71 v4 or EC70 v4 firmware containing the shared static key, and (2) the attacker to be positioned on the same adjacent/local network as the camera (CVSS AV:A) - remote internet exploitation is NOT indicated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are broadly consistent and point to a genuine but access-limited issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who joins the same Wi-Fi/LAN as a Kasa EC71 v4 or EC70 v4 camera - for example on a shared office, apartment, or guest network - extracts the static private key from a publicly obtainable firmware image beforehand. Using that key against the camera's web management service, they either passively decrypt captured session traffic or actively insert themselves as a man-in-the-middle to read and tamper with the management channel, all without any credentials. … |
| Remediation | Patch available per vendor advisory: apply the corrected TP-Link firmware for the EC71 v4 and EC70 v4 from the official release notes (https://www.tp-link.com/us/support/download/ec71/v4/#Firmware-Release-Notes and https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes; guidance at https://www.tp-link.com/us/support/faq/5192/) - the exact fixed build number is not stated in the input data and should be confirmed against those release notes before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all deployed TP-Link Kasa EC71 v4 and EC70 v4 cameras and confirm their network accessibility and connectivity status. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kasa Ec71 V4
View allSame weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44576
GHSA-q3g3-7q7p-5jwv