Description
An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.

Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
Published: 2026-06-05
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated format string vulnerability exists in the ONVIF AddScopes method of the TP‑Link Tapo C520WS v2. User controlled scope parameters are passed directly to a formatting function without sanitization, allowing an attacker to inject format specifiers. This flaw can manipulate memory handling and cause the ONVIF management service to crash, resulting in a denial‑of‑service condition that disrupts normal device operation without granting arbitrary code execution.

Affected Systems

TP‑Link Systems Inc. – Tapo C520WS v2. The vulnerability is limited to firmware that includes the ONVIF AddScopes implementation and requires authenticated access to the device’s ONVIF API.

Risk and Exploitability

The CVSS score is 6.8, indicating a medium severity impact. The EPSS score is not available, and the issue is not listed in CISA’s KEV. Because the flaw requires authenticated control of the ONVIF API, the attacker must first obtain valid credentials or have physical access to the device. Successful exploitation results in a service crash, causing a temporary outage. No remote code execution or data exfiltration is possible by the current patch. The risk is therefore confined to availability degradation for the affected device.

Generated by OpenCVE AI on June 6, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware update from TP‑Link’s official support pages for the Tapo C520WS v2
  • After updating, monitor the device to ensure ONVIF service stability
  • Restrict ONVIF API access to trusted IP addresses or internal networks to reduce exposure
  • If ONVIF is not required, disable the ONVIF service to eliminate the attack surface

Generated by OpenCVE AI on June 6, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C520ws V2
Vendors & Products Tp-link
Tp-link tapo C520ws V2

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior. Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.
Title Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS
Weaknesses CWE-134
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo C520ws V2
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-08T13:06:17.882Z

Reserved: 2026-04-13T17:10:26.104Z

Link: CVE-2026-6241

cve-icon Vulnrichment

Updated: 2026-06-08T13:06:13.964Z

cve-icon NVD

Status : Deferred

Published: 2026-06-06T00:16:41.230

Modified: 2026-06-08T15:01:06.580

Link: CVE-2026-6241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:00:11Z

Weaknesses
  • CWE-134

    Use of Externally-Controlled Format String