Home

Description

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo C210 V.1.8 app on iOS and Android, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-16 | Updated 2025-12-17 | Assigner TPLink




HIGH: 7.0CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

Any version before 3.1.6
affected

Default status
unaffected

Any version before 3.1.601
affected

Credits

Juraj Nyíri finder

References

apps.apple.com/us/app/tp-link-tapo/id1472718009

play.google.com/store/apps/details?id=com.tplink.iot

www.tp-link.com/us/support/faq/4840/

cve.org (CVE-2025-14553)

nvd.nist.gov (CVE-2025-14553)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.