Description
A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.

Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Published: 2026-06-05
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow exists in the ONVIF DeleteUsers service of TP‑Link Tapo C520WS v2. When an authenticated user sends a request that contains too many delete identifiers, the service’s lack of input validation overflows stack memory. The overflow can cause the firmware to crash or deadlock, resulting in a denial of service that disables device management and monitoring functions.

Affected Systems

TP‑Link Systems Inc. Tapo C520WS v2 devices are affected. Only the firmware version 2 of this model contains the vulnerability.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. EPSS data is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Exploitation requires valid credentials to the ONVIF API, suggesting that an attacker must have authenticated access or compromise legitimate user accounts. The primary consequence is a service crash or deadlock that takes the camera out of operation, thereby disrupting surveillance and management.

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest version that includes the fix for the DeleteUsers service
  • Revoke or rotate ONVIF credentials to limit privileged access to the camera
  • Restrict network access to the management interface or disable the DeleteUsers endpoint if the firmware supports it

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C520ws V2
Vendors & Products Tp-link
Tp-link tapo C520ws V2

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory. Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Title Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo C520ws V2
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-08T13:08:05.175Z

Reserved: 2026-04-13T17:10:23.938Z

Link: CVE-2026-6240

cve-icon Vulnrichment

Updated: 2026-06-08T13:08:00.721Z

cve-icon NVD

Status : Deferred

Published: 2026-06-06T00:16:41.103

Modified: 2026-06-08T15:01:06.580

Link: CVE-2026-6240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:00:11Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow