An attacker sending malformed requests over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes a cryptographic design vulnerability, which enables offline password bruteforce, which may leads to TAPO cloud account compromise.

The vulnerability we are disclosing in this advisory affects a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory has not yet been released for this vulnerability.

Vulnerability Details

The following diagram summarizes the TAPO camera authentication procedure:

tapo_auth

First, the client queries the acn, then calculates the digest password the following way: H(cnonce + H(pw) + acn) + acn + cnonce The device_confirm value contains the hashed password to prove the identity of the device to the app (or other party), as follows: H(cnonce + H(pw) + acn) + acn + cnonce = device_confirm.

Therefore, if we send an empty string as cnonce, we get the following equations:

H(H(pw) + acn) + acn = device_confirm
H(H(pw) + acn) = device_confirm[:64]

The issue is, a network-adjacent attacker doesn’t need to provide the password and the password hash, nor the digest password. By simply sending the username and the cnonce, the attacker can receive both acn and device_confirm, which then can be used to bruteforce the password offline.

The password used is in practice the same password used for the corresponding TAPO cloud account, which means that successful bruteforce not only compromises the device but the entire cloud account.

Affected Devices

  • verified: TAPO C520WS
  • potentially: TP-Link smart devices using the TAPO architecture

Timeline

  • 2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
  • 2026.02.04. TP-Link acknowledges the report.
  • 2026.03.04. TP-Link erroneously claims the vulnerability reported is a duplicate..
  • 2026.03.04. TASZK provides update explaining the errors in TP-Link’s assessment.
  • 2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
  • 2026.03.06. TASZK confirms that a 3 week extension will be granted for vulnerabilities where a CVE assignment and/or Advisory correction will happen.
  • 2026.03.20. TP-Link communicates that this vulnerability (along with some reported at the time) has been fixed and wishes TASZK to provide a black box analysis of a new firmware image. TP-Link does not confirm which submitted vulnerabilities will receive a CVE and/or Advisory correction but ask for another arbitrary extension for only 1 vulnerability.
  • 2026.03.23. TASZK confirms that the 3 week extension will be granted if the list of vulnerabilities that are receiving a CVE and/or Advisory correction will be shared, otherwise no other extension will be granted.
  • 2026.03.26-04.01. TP-Link attempts to get in touch via several non-official channels, including an attempt to show up at our offices in person uninvited. With no coherent explanation, TP-Link now claims that the vulnerability previously claimed to have been fixed is now considered insufficiently fixed and requests an embargo extension for it of an additional 5 weeks.
  • 2026.04.02. End date of original 90 day + 3 week embargo. TASZK highlights that the PSIRT keeps sending plaintext emails with sensitive vulnerability information, points out that non-PSIRT channels are considered out-of-bounds for coordinated disclosure and confirms that embargo windows will not be extended further. TASZK volunteers a 24h notice to TP-Link for advisory release.
  • 2026.04.06. TASZK communicates notice of release to TP-Link.
  • 2026.04.28. Advisory released.