This vulnerability is a stack‑based buffer overflow that occurs in the ONVIF CreateUsers service on the Tapo C520WS v2. When the device processes an ONVIF request, it does not enforce a limit on the number of XML user nodes, allowing a crafted request with many entries to overflow a buffer. The overflow can corrupt memory and crash the ONVIF management service, which the device relies on for configuration and management functions. Consequently, an attacker can force the service to crash, impairing remote management and potentially affecting the overall stability of the device. The weakness is classified as CWE‑121, indicating a stack exploitation scenario.

The affected product is the TP‑Link Tapo C520WS v2. No other versions or vendors are listed. The device runs firmware that includes the vulnerable ONVIF CreateUsers service and has been identified in the manufacturer’s firmware release notes.

The CVSS score of 6.8 indicates moderate severity. Since EPSS data is unavailable, the likelihood of exploitation cannot be quantified, but the vulnerability requires authentication, implying the attacker must first gain authorized access to the device or the ONVIF service. The vulnerability is not listed in CISA's KEV catalog, so no known widespread exploit activity is reported. Attackers with remote administrative credentials or local network access can send the specially crafted request, possibly leading to service termination and a denial‑of‑service condition. Properly patching the firmware or disabling the vulnerable service mitigates this risk.