Skip to main content

Tapo C110 EUVDEUVD-2026-36326

| CVE-2026-6250 HIGH
Use of Externally-Controlled Format String (CWE-134)
2026-06-11 TPLink GHSA-4gmj-9m2m-6h5f
7.0
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
7.0 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Adjacent-network ONVIF service requiring valid low-privileged camera credentials; no confidentiality loss, but factory reset yields high integrity and availability impact with no scope change.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 21:50 vuln.today

DescriptionCVE.org

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses.

A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.

AnalysisAI

Authenticated format string vulnerability in the ONVIF service of TP-Link Tapo C110 v2 cameras allows adjacent-network attackers with valid credentials to manipulate stack memory and redirect execution to internal functions, triggering an unauthorized factory reset. Successful exploitation wipes configuration, deletes stored credentials, and disrupts video surveillance service. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Technical ContextAI

The Tapo C110 v2 is a TP-Link Wi-Fi home security camera that exposes an ONVIF (Open Network Video Interface Forum) service for standardized IP-camera management over the local network. CWE-134 (Use of Externally-Controlled Format String) occurs when user-supplied input is passed directly as the format string argument to a printf-family function; format specifiers such as %x, %s, and %n then read or write arbitrary stack memory. In this case the ONVIF request handler interprets attacker-controlled data as a format string, enabling targeted writes against stack-resident control-flow data including saved return addresses. Because the CPE scope is limited to tp-link_systems_inc:tapo_c110_v2 (all firmware up to the patched release), only this specific camera SKU/hardware revision is confirmed in-scope.

RemediationAI

Patch available per vendor advisory: update Tapo C110 v2 firmware to the fixed release published by TP-Link via the Tapo app or the firmware page at https://www.tp-link.com/us/support/download/tapo-c110/v2/#Firmware-Release-Notes (regional mirrors: /en/ and /kr/), and review TP-Link advisory https://www.tp-link.com/us/support/faq/5128/ for the exact fixed version. Until firmware is applied, isolate cameras on a dedicated IoT VLAN or Wi-Fi SSID that blocks lateral access from untrusted clients, and restrict ONVIF (typically TCP/2020 or vendor-specific port) to known NVR/management hosts only - note that this will break third-party ONVIF clients and home-automation integrations that rely on the same port. Rotate camera account passwords and remove any shared low-privileged Tapo accounts, since exploitation requires valid credentials; avoid disabling ONVIF entirely unless you do not use any ONVIF integrations, as it will also break legitimate NVR recording.

Share

EUVD-2026-36326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy