Skip to main content

Kasa Ec70 V4

2 CVEs product

Monthly

CVE-2026-13230 MEDIUM PATCH This Month

Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed.

TP-Link Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-9770 HIGH PATCH This Week

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.

Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated information disclosure in TP-Link Kasa EC70 v4 and EC71 v4 exposes sensitive geolocation data to any attacker on the same local network segment. The flaw resides in the devices' local discovery mechanism, which returns geolocation-related information in response to crafted network probes without requiring any credentials. Impact is limited to confidentiality; no integrity or availability compromise is possible through this vector. No public exploit exists and no active exploitation has been confirmed.

TP-Link Information Disclosure Kasa Ec71 V4 +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.

Information Disclosure Kasa Ec71 V4 Kasa Ec70 V4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy