CVE-2026-12760
Analyzed Analyzed - Analysis Complete

Denial-of-Service in Tapo C200 v3 via IPv4 Fragmented Packets

Vulnerability report for CVE-2026-12760, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: TPLink

Description

A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.Β  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition,Β causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
tp-link tapo_c200_firmware 1.3.11
tp-link tapo_c200_firmware 1.3.13
tp-link tapo_c200_firmware 1.3.14
tp-link tapo_c200_firmware 1.3.15
tp-link tapo_c200_firmware 1.3.3
tp-link tapo_c200_firmware 1.3.4
tp-link tapo_c200_firmware 1.3.5
tp-link tapo_c200_firmware 1.3.7
tp-link tapo_c200_firmware 1.3.9
tp-link tapo_c200_firmware 1.4.1
tp-link tapo_c200_firmware 1.4.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a denial-of-service (DoS) issue found in the Tapo C200 v3 camera. It occurs because the device improperly handles IPv4 fragmented network packets. An attacker who is nearby and unauthenticated can send specially crafted packets that cause the device to consume excessive resources.

As a result, the device becomes unstable and unresponsive temporarily, leading to interruptions in video monitoring and recording.

Impact Analysis

Exploitation of this vulnerability can cause the Tapo C200 v3 camera to become temporarily unresponsive, resulting in a denial-of-service condition.

This means you may experience intermittent loss of video monitoring and recording, which could impact security surveillance and monitoring capabilities.

Compliance Impact

The vulnerability causes a denial-of-service condition that leads to intermittent loss of video monitoring and recording on the Tapo C200 v3 camera.

Such disruption in video surveillance could impact compliance with standards and regulations like GDPR and HIPAA, which often require continuous monitoring and secure recording of video data to protect privacy and ensure data integrity.

If video feeds are interrupted or recordings are lost due to this vulnerability, organizations may fail to meet regulatory requirements for data availability and security.

Applying the recommended firmware updates mitigates this risk by restoring device stability and ensuring continuous monitoring.

Mitigation Strategies

To mitigate the CVE-2026-12760 vulnerability in the Tapo C200 v3 camera, users should immediately update their device firmware to the latest version provided by TP-Link.

  • Download and install the firmware update version 1.4.4 Build 250922 or later.
  • Ensure the device is connected to a secure network to reduce exposure to unauthenticated adjacent attackers.
  • After updating, monitor the device for any unusual behavior or instability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart