CVE-2025-8065 - Vulnerability Details

- Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS

Description

A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack.

An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.

Published: 2025-12-20

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack‑based buffer overflow exists in the ONVIF SOAP XML Parser of Tapo devices. When the parser receives XML tags with excessively long namespace prefixes, it copies the prefix into a fixed‑size stack buffer without checking its length, corrupting memory. An attacker with local network access can send a crafted SOAP request that triggers this overflow, allowing them to execute arbitrary code with elevated privileges and fully compromise the device.

Affected Systems

The flaw affects TP‑Link Tapo C200 v3 firmware versions 1.3.x through 1.4.x and the Tapo C520WS v2.6 firmware. Devices running any of the listed firmware builds are vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not flagged in the CISA KEV catalog. The attack vector is local network; an unauthenticated attacker can target the device via the ONVIF SOAP interface, send the malicious XML payload, and achieve remote code execution with full device privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TP-Link Systems Inc.

Tapo C200 V3

unaffected

Version	Status	Constraints
`0`	affected	< V3_1.4.5 Build 251104

TP-Link Systems Inc.

Tapo C520WS v2.6

unaffected

Version	Status	Constraints
`0`	affected	< 1.2.4 Build 260326 Rel.24666n

Configuration 1 [-]

AND

OR	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922::::::

cpe:2.3:h:tp-link:tapo_c200:3:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Tp-link	Tapo	—	—
Tp-link	Tapo C200	—	—
Tp-link	Tapo C200 V3	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device to the latest firmware from TP‑Link that addresses this buffer overflow.
If an update is unavailable, disable or restrict the ONVIF SOAP service so only trusted administrators can access it.
Monitor the device for abnormal SOAP traffic and isolate the device on a separate network segment to limit exposure.

Generated by OpenCVE AI on April 27, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes
https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes
https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes
https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes
https://www.tp-link.com/us/support/faq/4849/

History

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
References		https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS).	A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.
Title	Buffer Overflow in ONVIF XML Parser on Tapo C200	Remote Code Execution via Stack-based Buffer Overflow in ONVIF SOAP Parser in TP-Link Tapo C200 and C520WS
Weaknesses	CWE-400	CWE-121
References		https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes
Metrics	cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Thu, 08 Jan 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link tapo C200 Firmware
Weaknesses		CWE-120
CPEs		cpe:2.3:h:tp-link:tapo_c200:3:::::::* cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313:::::: cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922::::::
Vendors & Products		Tp-link tapo C200 Firmware
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 22 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 21 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link Tp-link tapo Tp-link tapo C200 Tp-link tapo C200 V3
Vendors & Products		Tp-link Tp-link tapo Tp-link tapo C200 Tp-link tapo C200 V3

Sat, 20 Dec 2025 01:15:00 +0000

Type	Values Removed	Values Added
Description		A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS).
Title		Buffer Overflow in ONVIF XML Parser on Tapo C200
Weaknesses		CWE-400
References		https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Tp-link Tapo Tapo C200 Tapo C200 Firmware Tapo C200 V3

MITRE

Status: PUBLISHED

Assigner: TPLink

Published: 2025-12-20T00:41:56.823Z

Updated: 2026-04-03T16:50:11.190Z

Reserved: 2025-07-22T21:23:25.432Z

Link: CVE-2025-8065

Vulnrichment

Updated: 2025-12-22T16:07:41.377Z

NVD

Status : Modified

Published: 2025-12-20T01:16:05.410

Modified: 2026-04-03T17:16:41.710

Link: CVE-2025-8065

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object