CVE-2025-14553
Exposure of Password Hashes via Unauthenticated API in TP-Link Tapo App
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | tapo_c210 | 1.8 |
| tp-link | tapo_app | 3.1.6 |
| tp-link | tapo_app | 3.1.601 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the exposure of password hashes through an unauthenticated API response in the TP-Link Tapo C210 camera's mobile app (version 1.8) on iOS and Android. An attacker on the local network can obtain these password hashes without authentication and then perform an offline brute-force attack to recover the device's authentication password. This allows the attacker to gain full administrative access to the camera via the local network. [2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker on the local network to gain unauthorized full administrative control over the affected TP-Link Tapo C210 camera. This means the attacker can access and control the camera without permission, potentially compromising your privacy and security. The vulnerability can be mitigated by updating the Tapo mobile app to the latest versions. [2]
What immediate steps should I take to mitigate this vulnerability?
Update the TP-Link Tapo mobile app to the latest version: for iOS, update to version 3.1.601 or later; for Android, update to version 3.1.6 or later. This will mitigate the vulnerability as the device firmware remains unchanged and the issue is fixed in the mobile app. Users should ensure they are running these updated app versions to prevent exploitation. [2]