Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products:
D130, D210, D235, D225, TD21, TDB21 and TD25
AnalysisAI
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.
Technical ContextAI
The affected products are TP-Link Tapo smart-home devices: the L535E smart lock (v1.0 and v3.0), the P300 smart power strip (v1.0), and the D100C smart chime (v1.0) which ships bundled with multiple Tapo camera/doorbell SKUs (D130, D210, D235, D225, TD21, TDB21, TD25). During first-time provisioning, these devices use Bluetooth Low Energy as an out-of-band channel to receive Wi-Fi credentials and pairing data from the Tapo mobile app. The root cause maps to CWE-319 (Cleartext Transmission of Sensitive Information): the BLE setup channel lacks application-layer encryption, so payloads - potentially including Wi-Fi SSID/PSK and device-binding tokens - traverse the air in plaintext where any nearby BLE radio can capture them. Bluetooth is described as being used only during initialization, meaning the exposure window is limited to the provisioning event rather than steady-state operation.
RemediationAI
Vendor-released patches are available: upgrade Tapo L535E to firmware 1.4.1 Build 251016 Rel.204554 (download links at https://www.tp-link.com/us/support/download/tapo-l535e/ and the v3 variant at https://www.tp-link.com/en/support/download/tapo-l535e/v3/), Tapo P300 to JP_1.4.0 Build 260416 Rel.014037 or EU_1.4.2 Build 251219 Rel.142654 depending on region (https://www.tp-link.com/jp/support/download/tapo-p300/ and https://www.tp-link.com/en/support/download/tapo-p300/), and Tapo D100C to 1.3.1 Build 260421 Rel.031658. Because the vulnerability is exploitable only during initial setup, the most effective compensating control for unpatched units is to perform provisioning in a Bluetooth-quiet environment (e.g., away from windows, neighbors, and public spaces) and to power-cycle and re-provision any device previously set up in an untrusted location with the patched firmware preloaded; the trade-off is added friction and the need to physically verify radio isolation. Factory-resetting an already-deployed device without first updating firmware would re-expose the same cleartext window, so always apply the firmware update before any re-pairing operation.
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set
Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c
Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta
TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32969
GHSA-p93f-7gcr-x8pr