Home

Description

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.

PUBLISHED Reserved 2026-04-13 | Published 2026-06-11 | Updated 2026-06-12 | Assigner TPLink




HIGH: 7.0CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-134 Use of Externally-Controlled format string

Product status

Default status
unaffected

Any version before 1.5.4 Build 260428
affected

Credits

Juhyeop Lee(@juhye0p) of STEALIEN finder

References

www.tp-link.com/us/support/download/tapo-c110/v2/ patch

www.tp-link.com/en/support/download/tapo-c110/v2/ patch

www.tp-link.com/kr/support/download/tapo-c110/v2/ patch

www.tp-link.com/us/support/faq/5128/ vendor-advisory

cve.org (CVE-2026-6250)

nvd.nist.gov (CVE-2026-6250)

Download JSON