An attacker sending a malformed ONVIF request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes a stack buffer overflow, which leads to pre-auth remote code execution via LAN or WAN (through browser).

The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory originally released in December 2026 and updated in April 2026 contains this vulnerability as CVE-2025-8065.

Vulnerability Details

In the ONVIF stack there is a bug in the SOAP parser in the soap_rearrange_tag function.

soap_rearrange_tag(char* src_tag, char* dst_tag) {
    char ns[16];
    // ...
    // during parsing <something:something ...>
    //   or </something:something ...>
    ns_end = strchr(src_tag, L':');
    if (ns_end != (char*)0x0) {
        snprintf(ns, (size_t)(ns_end + (1 - src_tag)), "%s", src_tag);
        // ...
    }
    // ...
}

The function is looking for the ":" character in the tag to get the length of the namespace. Then it copies the namespace into a stack allocated buffer with a length of 16. However, it is not checked whether the namespace is longer than expected, so with a namespace long enough it results in a stack buffer overflow.

An example message that triggers this bug is:

<Envelope xmlns:0="http://www.w3.org/2003/05/soap-envelope"><Body><aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaal↩
aaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaa:>

This vulnerability can be triggered pre-authentication: the parsing happens before the SOAP WS-Security procedure would come into play. Therefore, the only requirement is that ONVIF has been enabled already.

Affected Devices

  • verified: TAPO C520WS
  • potentially: TP-Link smart devices using the TAPO architecture

Timeline

  • 2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
  • 2026.02.04. TP-Link acknowledges the report.
  • 2026.03.04. TP-Link confirms vulnerability and states that the vulnerability is the duplicate of CVE-2025-8065, which was published for other models only.
  • 2026.03.04. TASZK provides update explaining the errors in TP-Link’s advisory’s details for CVE-2025-8065 regarding impact and access vector.
  • 2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
  • 2026.03.24. TP-Link confirms that the advisory for CVE-2025-8065 will be updated to reflect the changed impact and severity.
  • 2026.04.03. TP-Link releases advisory update for the vulnerability (https://www.tp-link.com/us/support/faq/4849/).
  • 2026.04.06. TASZK communicates notice of release to TP-Link.
  • 2026.04.28. Advisory released.