Description
A denial-of-service
vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of
syntactically invalid input.  Crafted inputs
can trigger a processing error, causing the RTSP service to enter non-responsive
state.





Successful
exploitation may cause the RTSP in a denial-of-service condition.
Published: 2026-06-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an input validation flaw in the RTSP server component of the Tapo C520WS v2, where syntactically invalid RTSP packets are not properly handled. A crafted packet triggers a processing error that causes the RTSP service to become non‑responsive. This results in a denial of service of the RTSP functionality, potentially disrupting video streaming for authorized users. The weakness corresponds to CWE‑20.

Affected Systems

Affects TP‑Link Systems Inc. product Tapo C520WS v2. The issue applies specifically to firmware version v2; no other firmware versions are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. No EPSS score is available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, based on the description that crafted, syntactically invalid RTSP requests can trigger a service crash; it is not explicitly stated where the traffic originates, but the data suggests that an attacker could send these malformed packets over the network to the device.

Generated by OpenCVE AI on June 5, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest version that addresses the RTSP denial‑of‑service issue.
  • If an update is unavailable, block or disable the RTSP port (typically port 554) from external networks or restrict it to trusted LAN segments.
  • Place the device behind a firewall or network device that filters or rejects malformed RTSP traffic, ensuring it is only reachable from trusted internal sources.

Generated by OpenCVE AI on June 5, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input.  Crafted inputs can trigger a processing error, causing the RTSP service to enter non-responsive state. Successful exploitation may cause the RTSP in a denial-of-service condition.
Title Denial-of-Service Vulnerability in RTSP Input Handling on TP-Link's Tapo C520WS
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-05T17:25:13.069Z

Reserved: 2026-05-15T20:50:58.600Z

Link: CVE-2026-8714

cve-icon Vulnrichment

Updated: 2026-06-05T17:25:09.895Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T17:17:04.097

Modified: 2026-06-05T19:03:48.933

Link: CVE-2026-8714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses