Description
An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.

Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Published: 2026-06-05
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authenticated format string flaw in the ONVIF Subscribe service of the TP‑Link Tapo C520WS v2. Improper handling of externally supplied parameters in formatting functions enables an attacker to insert crafted format strings into event subscription requests or notification generation, causing the event notification process to terminate and the real‑time alarm functionality to fail.

Affected Systems

TP‑Link Systems Inc. product Tapo C520WS version 2. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score is 6.8, indicating a moderate impact when the flaw is exploited. EPSS information is unavailable, so the likelihood of exploitation cannot be quantified, and the vulnerability is not currently listed in CISA's KEV catalog. The description indicates that the attack requires authentication, suggesting the vector involves a network-facing service that an authenticated user can reach. Successful exploitation would lead to denial of real‑time alarm and event notification capabilities. No public exploits are known at this time.

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tapo C520WS v2 firmware to the latest version available from TP‑Link’s support site.
  • If a firmware upgrade cannot be applied immediately, disable or restrict the ONVIF subscription functionality to prevent service disruption.
  • Monitor system logs for unexpected termination of the event notification service and investigate any suspicious activity.

Generated by OpenCVE AI on June 6, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution. Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.
Title Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS
Weaknesses CWE-134
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-05T23:52:36.290Z

Reserved: 2026-04-13T17:10:28.804Z

Link: CVE-2026-6242

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:41.347

Modified: 2026-06-06T00:16:41.347

Link: CVE-2026-6242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses