HIGHCVE-2026-1315Published Modified CNA TPLink
CVE-2026-1315: Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 1.2.3 Build 251114
- Affected Products
- 2
Fix available
1.2.3 Build 2511141.4.2 Build 251112
Patch commits
Affected packages
- TP-Link Systems Inc. / Tapo C220 v1< 1.4.2 Build 251112 (from 0)
- TP-Link Systems Inc. / Tapo C520WS v2< 1.2.3 Build 251114 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N