CVE-2025-8065

MEDIUM

Tp-link Tapo C200 Firmware - Denial of Service

Title source: rule

Description

A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.

References (5)

[Release Notes] https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes

[Vendor Advisory] https://www.tp-link.com/us/support/faq/4849/

[Patch] https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes

[Patch] https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes

[Patch] https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 23.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-120 CWE-121

Status published

Products (15)

tp-link/tapo_c200_firmware 1.3.3 build_230228

tp-link/tapo_c200_firmware 1.3.4 build_230424

tp-link/tapo_c200_firmware 1.3.5 build_230717

tp-link/tapo_c200_firmware 1.3.7 build_230920

tp-link/tapo_c200_firmware 1.3.9 build_231019

tp-link/tapo_c200_firmware 1.3.11 build_231115

tp-link/tapo_c200_firmware 1.3.13 build_240327

tp-link/tapo_c200_firmware 1.3.14 build_240513

tp-link/tapo_c200_firmware 1.3.15 build_240715

tp-link/tapo_c200_firmware 1.4.1 build_241212

... and 5 more

Published Dec 20, 2025

Tracked Since Feb 18, 2026