An attacker sending malformed requests over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a cryptographic design vulnerability, which enables offline password bruteforce, which may leads to TAPO cloud account compromise. The vulnerability we are disclosing in this advisory affects a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory has not yet been released for this vulnerability. Vulnerability Details The following diagram summarizes the TAPO camera authentication procedure: First, the client queries the acn, then calculates the digest password the following way: H(cnonce + H(pw) + acn) + acn + cnonce The device_confirm value contains the hashed password to prove the identity of the device to the app (or other party), as follows: H(cnonce + H(pw) + acn) + acn + cnonce = device_confirm.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a stack buffer overflow, which leads to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34122. Vulnerability Details There is an unsafe strcpy in the handler function of the set_park_config DS action of the HTTP server in TAPO devices: ds_set_park_config() { iVar1 = get_some_global(); if (iVar1 != 0) { memcpy(&local_48,(void *)(iVar1 + 0x10),0x38); action_mode = jso_obj_get_string_origin(root,"enabled"); if ((action_mode !

An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a secure protocol design issue, which leads to authentication bypass in the proprietary Xiaomi miIO protocol. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details For packets received in UDP port 54321, the miio_client binary verifies the MAC and then decrypts the received packet.

An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a use of cryptographically weak PRNG implementation issue, which leads to reliable prediction of cryptographic primitives used in the proprietary Xiaomi miIO protocol’s authentication and key agreement procedure. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.

An attacker sending a malformed miIO message over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details Due to a flaw in the design of the handshake sequence, it is possible to complete the setup flow without knowledge of the setup code by replaying certain values that the camera sends.