Skip to main content

TP-Link Tapo C200 EUVDEUVD-2026-33978

| CVE-2026-1871 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-02 TPLink GHSA-92jw-rf4g-rwr2
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 17:30 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
7.1 (HIGH)

DescriptionCVE.org

TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request.

Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.

AnalysisAI

Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.

Technical ContextAI

The Tapo C200 v5 is a consumer/SMB Wi-Fi pan-tilt IP camera that exposes a Real Time Streaming Protocol (RTSP) service for live video access. RTSP authentication typically uses HTTP-style Digest or Basic challenges carried in an Authorization header. The CWE-121 stack-based buffer overflow indicates that the camera's RTSP core service copies the Authorization header value into a fixed-size stack buffer without first validating its length, so an oversized header overruns the buffer, corrupts the call stack, and crashes the service. The CPE confirms the issue is scoped to cpe:2.3:a:tp-link_systems_inc.:tapo_c200_v5, i.e. the v5 hardware revision of the Tapo C200 line.

RemediationAI

Patch available per vendor advisory: download and install the latest Tapo C200 v5 firmware from the TP-Link release-notes page (https://www.tp-link.com/us/support/download/tapo-c200/v5/#Firmware-Release-Notes, regional mirrors at /en/ and /kr/) and reference the vendor FAQ at https://www.tp-link.com/us/support/faq/5113/ for confirmation of the fixed build. As the exact patched version string is not included in the input, verify the installed firmware against the release notes after upgrading. Until firmware can be applied, segment the camera onto an isolated IoT VLAN or dedicated SSID so only trusted hosts share its broadcast domain (limits the AV:A attack surface), disable the RTSP service via the Tapo app if live RTSP streaming is not required (loses third-party NVR/VLC integration), and block inbound RTSP (TCP/554) from untrusted clients at the access point or router firewall.

CVE-2015-3035 HIGH POC
7.5 Apr 22

Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before

CVE-2013-2578 CRITICAL POC
10.0 Oct 11

cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be

CVE-2021-41653 CRITICAL POC
9.8 Nov 13

The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r

CVE-2022-25061 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set

CVE-2015-3036 CRITICAL POC
10.0 May 21

Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c

CVE-2012-5687 HIGH POC
7.8 Nov 01

Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13

CVE-2022-25060 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta

CVE-2025-9377 HIGH
8.6 Aug 29

TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental

CVE-2024-57049 CRITICAL POC
9.8 Feb 18

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi

CVE-2017-13772 HIGH POC
8.8 Oct 23

Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated

CVE-2022-25064 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio

CVE-2022-30075 HIGH POC
8.8 Jun 09

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote

Share

EUVD-2026-33978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy