Security Advisory on Password Hash Leak Could Lead to Unauthorized Access on Tapo C210 via Local Network (CVE-2025-14553)
490 Vulnerability Description:
A vulnerability has been found in TP-Link Tapo C210 V1.8 that may result in the exposure of password hashes through an unauthenticated API response in the Tapo app for iOS and Android. This vulnerability could allow an attacker to obtain password hashes via the local network and recover user credentials through brute-force attacks.
Impact:
The vulnerability allows an attacker to recover the device’s authentication password through an offline brute-force process. Once the password is obtained, the attacker can gain full administrative access to the affected camera device via the local network.
CVSS v4.0 Score: 7 / High
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Affected Product Model |
Related Vulnerabilities |
Affected Version |
|
Tapo C210 V1.8 |
CVE-2025-14553 |
iOS < 3.1.601 Android<3.1.6 |
Issue can be mitigated through mobile application updates. Device firmware remains unchanged.
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Download and update to the latest Tapo app version to fix the vulnerabilities.
Disclaimer:
If you do not take all of the recommended actions, this vulnerability concern will remain. TP-Link cannot bear any responsibility for the consequences that could have been avoided by following the recommended actions in this statement.
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.