An attacker sending malformed requests over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.
This report describes a cryptographic design vulnerability, which enables offline password bruteforce, which may leads to TAPO cloud account compromise.
The vulnerability we are disclosing in this advisory affects a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory has not yet been released for this vulnerability.
Vulnerability Details The following diagram summarizes the TAPO camera authentication procedure:
First, the client queries the acn, then calculates the digest password the following way: H(cnonce + H(pw) + acn) + acn + cnonce The device_confirm value contains the hashed password to prove the identity of the device to the app (or other party), as follows: H(cnonce + H(pw) + acn) + acn + cnonce = device_confirm.
An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.
This report describes a stack buffer overflow, which leads to remote code execution.
The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34122.
Vulnerability Details There is an unsafe strcpy in the handler function of the set_park_config DS action of the HTTP server in TAPO devices:
ds_set_park_config() { iVar1 = get_some_global(); if (iVar1 != 0) { memcpy(&local_48,(void *)(iVar1 + 0x10),0x38); action_mode = jso_obj_get_string_origin(root,"enabled"); if ((action_mode !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
This report describes an unbounded recursion issue, which leads to stack overflow. (Note: the issue is stack overflow not stack buffer overtflow, i.e. an out-of-bounds write beyond a stack frame’s end).
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details The XML parser code executes unbounded recursions. In addition, it lacks early checking of the validity of the XML against the expected schema, which might otherwise act as an upper bound for recursion for most XML documents.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details inet_msg_unpack_uri_with_len: ... if (strcasecmp(proto, "http")) ... *pbVar1 = bVar6; proto_len = 6; proto = after_proto + 1; *after_proto = '\0'; after_proto = after_proto + 2; *proto = '\0'; Some bytes are overwritten after the stored scheme, which triggers a heap overflow, if the stored string is too short.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details A large number of memory allocations can be triggered via malformed SDP contents unknown by Mediatek’s baseband implementation (e.g. with a key of two octet). During failure, some special cases bail out without first freeing the earlier allocations, and losing the single pointer to the area.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
sip_msg_content_type_compatible assumes a content type with a subcontenttype (e.g. text/plain), but inet_msg_unpack_content_type accepts a content type without a subcontenttype (e.g. text).
bool sip_msg_content_type_compatible(char **accept,char **contentType) { int iVar1; char *pcVar2; char *pcVar3; iVar1 = voip_strcasecmp(accept[0],"*"); pcVar3 = "*"; // If the Accept is in format */something, accept anything, if the Accept is exactly */* if (iVar1 !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
int sdp_msg_unpack_bandwidth(char **param_1,undefined *param_2) { iVar2 = sdp_msg_unpack_string_list.constprop.26(param_1,0x62,-1,(undefined *)&uStack_1c); if (iVar2 == 0) { puVar7 = &uStack_1c; local_20 = (char *)0x0; while ((char *)puVar7[1] != (char *)0x0) { puVar3 = (uint *)voip_strtok_r((char *)puVar7[1],":",&local_20); // [1] *(undefined4 *)(param_2 + 4) = 0; bVar1 = sdp_msg_unpack_type(5,5,-0x6e41ac2c,puVar3,(int *)(param_2 + 4),(uint **)0x0); .
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
void sdp_msg_create_negotiation_sdp(...) { sdp_cpy = sdp_msg_struct_copy(sdp_msg); // [1] if (sdp_cpy == (sdp_message_struct *)0x0) { ... return; } media = sdp_cpy->m; if (media != (sdp_media_struct *)0x0) { media_orig_p = sdp_msg->m; // original media while (media_orig_p !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
The crash happens in sdp_msg_create_negotiation_sdp.
It is caused by a malformed audio attribute for RTP/AVP resulting in a NULL pointer access, which crashes the modem.
Example payload The following SIP messages were tested: