Description
A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.

Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Published: 2026-06-05
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow exists in the ONVIF DeleteUsers service of TP‑Link Tapo C520WS v2. When an authenticated user sends a request that contains too many delete identifiers, the service’s lack of input validation overflows stack memory. The overflow can cause the firmware to crash or deadlock, resulting in a denial of service that disables device management and monitoring functions.

Affected Systems

TP‑Link Systems Inc. Tapo C520WS v2 devices are affected. Only the firmware version 2 of this model contains the vulnerability.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. EPSS data is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Exploitation requires valid credentials to the ONVIF API, suggesting that an attacker must have authenticated access or compromise legitimate user accounts. The primary consequence is a service crash or deadlock that takes the camera out of operation, thereby disrupting surveillance and management.

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest version that includes the fix for the DeleteUsers service
  • Revoke or rotate ONVIF credentials to limit privileged access to the camera
  • Restrict network access to the management interface or disable the DeleteUsers endpoint if the firmware supports it

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory. Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.
Title Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-05T23:51:39.483Z

Reserved: 2026-04-13T17:10:23.938Z

Link: CVE-2026-6240

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:41.103

Modified: 2026-06-06T00:16:41.103

Link: CVE-2026-6240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses