CVE-2025-14300

HIGH

Tapo C200 V3 < V3_1.4.5 Build 251104 - Unauthenticated Denial of Service via connectAP Interface

Title source: llm

Description

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

References (5)

Core 5

Core References

Patch patch

https://www.tp-link.com/en/support/download/tapo-c100/v5/#Firmware-Release-Notes

Patch patch

https://www.tp-link.com/us/support/download/tapo-c100/v5/#Firmware-Release-Notes

Patch patch

https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes

Release Notes patch

https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes

Vendor Advisory vendor-advisory

https://www.tp-link.com/us/support/faq/4849/

Scores

CVSS v3 8.1

EPSS 0.0009

EPSS Percentile 25.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (14)

TP Link Systems Inc./Tapo C100 v5 < V5_1.4.4 Build 260303

tp-link/tapo_c200_firmware 1.3.3 build_230228

tp-link/tapo_c200_firmware 1.3.4 build_230424

tp-link/tapo_c200_firmware 1.3.5 build_230717

tp-link/tapo_c200_firmware 1.3.7 build_230920

tp-link/tapo_c200_firmware 1.3.9 build_231019

tp-link/tapo_c200_firmware 1.3.11 build_231115

tp-link/tapo_c200_firmware 1.3.13 build_240327

tp-link/tapo_c200_firmware 1.3.14 build_240513

tp-link/tapo_c200_firmware 1.3.15 build_240715

... and 4 more

Published Dec 20, 2025

Tracked Since Feb 18, 2026