Description
An
authenticated format string vulnerability exists in the ONVIF service of Tapo
C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as
a format string, which can be used to manipulate stack memory, including
control flow data such as return addresses.





A remote
authenticated attacker may redirect execution flow to existing internal
functions, triggering an unauthorized factory reset, leading to loss of
configuration, deletion of stored credentials and service disruption.
Published: 2026-06-11
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated format string vulnerability was discovered in the ONVIF service of TP‑Link Tapo C110 v2. Improper handling of user‑controlled input allows crafted data to be interpreted as a format string, enabling manipulation of stack memory, including return addresses. An attacker can redirect execution flow to internal functions, which can trigger an unauthorized factory reset and result in loss of configuration, deletion of stored credentials, and service disruption.

Affected Systems

The flaw affects TP‑Link Systems Inc. Tapo C110 v2 devices. No more specific versioning is provided; all units that ship with the v2 firmware are considered vulnerable.

Risk and Exploitability

The CVSS base score of 7 indicates a high severity vulnerability. EPSS information is not available and the issue is not listed in CISA’s KEV catalog, so no large‑scale exploitation has yet been reported. Exploitation requires authenticated access to the ONVIF service; once compromised, the attacker can gain remote code execution capable of forcing a factory reset. The potential impact on confidentiality, integrity and availability is significant, resulting in a moderate to high risk for devices exposed to external networks.

Generated by OpenCVE AI on June 11, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest firmware released by TP‑Link, which addresses the format string vulnerability.
  • If a firmware update is not immediately available, restrict network access to the ONVIF service by applying firewall or router ACL rules that limit traffic to trusted IP ranges or authenticated users.
  • For environments where the ONVIF protocol is not required, disable the ONVIF service entirely to eliminate the vulnerable surface area.

Generated by OpenCVE AI on June 11, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.
Title Authenticated Format String Injection on TP-Link Tapo C110
Weaknesses CWE-134
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-11T20:46:09.672Z

Reserved: 2026-04-13T18:44:25.412Z

Link: CVE-2026-6250

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:57.870

Modified: 2026-06-11T22:16:57.870

Link: CVE-2026-6250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:45:05Z

Weaknesses
  • CWE-134

    Use of Externally-Controlled Format String