CVE-2025-10991
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-10-02

Assigner: TPLink

Description
The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-10-02
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10991
EUVD
EUVD-2025-31665
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tp-link tapo_d230s1 v1.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the TP-Link Tapo D230S1 device (version V1.20 before firmware 1.2.2 Build 20250907). An attacker with physical access to the device can connect to the UART port and gain root access, allowing full control over the device as the root user. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with physical access to gain root-level control over the device, potentially compromising its confidentiality, integrity, and availability. This means the attacker can fully control the device, which could lead to unauthorized access, manipulation, or disruption of device functions. [1]

Detection Guidance

This vulnerability requires physical access to the device and involves connecting to the UART port to gain root access. Detection on the network or system remotely is not applicable since the attack vector is physical. There are no specific commands provided to detect this vulnerability remotely or on the network.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the TP-Link Tapo D230S1 device firmware to version 1.2.2 Build 20250907 or later, as this firmware update addresses and fixes the issue. Users should follow the official update instructions provided by TP-Link to ensure the device is no longer vulnerable. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart