Tapo C520Ws V2
Monthly
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.
Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.
Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.