A security researcher has disclosed several critical vulnerabilities in TP-Link's Tapo C200 home surveillance camera, revealing issues ranging from unauthenticated remote Wi-Fi hijacking to full crash-inducing buffer overflows.
Over 25,000 devices are believed to be exposed online, raising significant concerns about user privacy and the overall resilience of consumer IoT products.
TP-Link is a Shenzhen-based networking equipment manufacturer and one of the largest providers of consumer Wi-Fi hardware globally. Its Tapo line includes IP cameras, smart plugs, and other smart home accessories marketed for ease of use and affordability. The Tapo C200 is among the most widely sold models in the company's camera lineup, making these vulnerabilities particularly impactful.
Using AI for firmware security evaluation
The flaws were uncovered by reverse engineering expert Simone Margaritelli, who used AI-assisted tooling to dissect the firmware of the Tapo C200 (Hardware Revision 3, firmware version 1.4.2 Build 250313 Rel.40499n).
The research began as a weekend experiment to test how AI tools like Grok, Cline, and GhidraMCP could support firmware analysis. Margaritelli quickly discovered that TP-Link's firmware images are stored openly in an unsecured AWS S3 bucket, allowing any interested party to download full binaries for all supported TP-Link devices, including routers, cameras, and smart home hardware. Using a community-developed tool (tp-link-decrypt), the firmware was decrypted using RSA keys extracted from TP-Link's own GPL code dumps.
Upon inspection, the firmware revealed hardcoded SSL private keys used by APIs on the device. Since these keys are shared across all Tapo C200 cameras, an attacker on the same network could decrypt HTTPS traffic without needing physical access, an egregious privacy issue for a device designed to stream video from inside users' homes.
By leveraging AI to map binary functions and rename variables in the MIPS binaries, the researcher identified multiple vulnerabilities, three of which have been assigned CVEs:
CVE-2025-8065: ONVIF XML parser buffer overflow
An ONVIF service running on port 2020 parses SOAP XML requests without validating the number of elements. Sending a request with a large number of crafted elements results in memory overflow and a device crash. The flaw is pre-auth and exploitable over local network access, with a CVSS v4 score of 7.1.
CVE-2025-14299: HTTPS content-length integer overflow
A critical logic bug in the camera's HTTPS server allows a malicious Content-Length header value to trigger an integer overflow. Supplying 4294967295 (0xFFFFFFFF) causes a crash, effectively resulting in a denial-of-service condition. Also pre-auth and network-exploitable, this bug shares a CVSS v4 score of 7.1.
CVE-2025-14300: Unauthenticated Wi-Fi reconfiguration via connectAp API
A serious vulnerability in the connectAp API lets an unauthenticated attacker send crafted JSON requests to reconfigure the camera's Wi-Fi settings—even after setup. If the attacker is within Wi-Fi range, they can force the camera to join a rogue access point under their control, enabling man-in-the-middle interception of video streams. This issue is rated 8.7 on CVSS v4 and poses both DoS and persistent compromise risks.
Additionally, a related issue in the scanApList API allows anyone to retrieve a list of nearby Wi-Fi networks with signal strength and MAC addresses. Attackers can correlate this data with Apple's geolocation services to determine the camera's physical location with high precision.
Disclosure timeline and TP-Link's response
Margaritelli followed a responsible disclosure process beginning on July 22, 2025, by contacting TP-Link's security team with full technical details and proof-of-concept exploits. After multiple delays and minimal communication, TP-Link eventually acknowledged the vulnerabilities and published a security advisory on December 20, 2025, 150 days after the initial report.
TP-Link's advisory confirms the three CVEs and urges users to update to firmware version 1.4.5 Build 251104 or later via the Tapo mobile application.
If upgrading is not possible, it is recommended to remove or isolate these devices from untrusted networks or to segregate them using VLANs or separate WiFi SSIDs.
In general, it is recommended to avoid exposing IP cameras to the public internet unless absolutely necessary.
Leave a Reply