Description
The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
Published: 2025-12-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability consists of an unauthenticated HTTPS endpoint named connectAP on the Tapo C100 and C200 devices. Without proper authentication, an attacker on the same local network can invoke the API to change the device’s Wi‑Fi configuration. The change can cause the device to disconnect from the network, effectively denying access to the smart‑home functionality. The flaw is identified as CWE‑306, a missing authentication weakness.

Affected Systems

Affected devices are TP‑Link Tapo C100 v5 and TP‑Link Tapo C200 V3. Additional firmware versions may be impacted, but the current report does not list specific firmware revisions beyond the product model and nominal release. Information about the exact firmware build numbers that are vulnerable is not supplied.

Risk and Exploitability

The CVSS score of 8.7 places the weakness in the high range, and the EPSS score of less than 1% indicates that the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known exploited instances. The attack vector is inferred to be local‑network based, as the exploit requires the attacker to be on the same LAN segment as the device. Once the endpoint is accessed, the attacker can modify Wi‑Fi settings and render the device unreachable, causing an outage for any services that rely on it.

Generated by OpenCVE AI on April 22, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the firmware on all Tapo C100 v5 and Tapo C200 V3 devices to a version that includes the connectAP authentication fix, as announced by TP‑Link on their support site.
  • Until a patch is applied, block or limit access to the device’s HTTPS service on the local network, for example by using a firewall or VLAN to isolate the smart‑home devices from untrusted hosts.
  • If immediate patching or network isolation is not possible, consider disabling the connectAP functionality through device settings or by using a local network firewall rule that drops traffic to the specific API endpoint.
  • Monitor the device’s logs or network traffic for unexpected calls to the connectAP endpoint and alert on any unauthorized activity.

Generated by OpenCVE AI on April 22, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to connectAP API Endpoint on Tapo C200 Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200
References

Thu, 08 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C200 Firmware
CPEs cpe:2.3:h:tp-link:tapo_c200:3:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922:*:*:*:*:*:*
Vendors & Products Tp-link tapo C200 Firmware
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Mon, 22 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo
Tp-link tapo C200
Tp-link tapo C200 V3
Vendors & Products Tp-link
Tp-link tapo
Tp-link tapo C200
Tp-link tapo C200 V3

Sat, 20 Dec 2025 01:15:00 +0000

Type Values Removed Values Added
Description The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
Title Unauthenticated Access to connectAP API Endpoint on Tapo C200
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo Tapo C200 Tapo C200 Firmware Tapo C200 V3
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-03T21:39:17.347Z

Reserved: 2025-12-08T22:05:13.804Z

Link: CVE-2025-14300

cve-icon Vulnrichment

Updated: 2025-12-22T16:11:17.850Z

cve-icon NVD

Status : Modified

Published: 2025-12-20T01:16:03.133

Modified: 2026-04-03T22:16:24.980

Link: CVE-2025-14300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses