HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-6250Published Modified CNA TPLink

CVE-2026-6250: Authenticated Format String Injection on TP-Link Tapo C110

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input.  Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.

Metrics

CVSS v4.0
7.0
Severity
HIGH
Fixed in
1.5.4 Build 260428
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A format string injection vulnerability exists in the ONVIF service of the TP-Link Tapo C110 v2 firmware. A format string injection occurs when user-supplied input is passed directly to a formatting function, letting an attacker read or overwrite stack memory. An attacker on the same network segment who holds a valid account can exploit this to redirect execution flow into an internal factory-reset routine, wiping device configuration, deleting stored credentials, and disrupting service. A patched-image rebuild at firmware version 1.5.4 Build 260428 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer container images, including custom-built images that bundle this firmware or ONVIF service components. Any image carrying a vulnerable version of the Tapo C110 v2 firmware below 1.5.4 Build 260428 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.0 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The finding is sent to the appropriate team inbox within each customer org based on policy-defined ownership rules for IoT or embedded firmware images.

Available
Patch

A patched-image rebuild at version 1.5.4 Build 260428 is available on HarborGuard for any environment running an affected firmware version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network such as a local LAN or VPN segment; the ONVIF service is not directly reachable from the open internet.

  • AuthenticationRequired

    A valid account on the device is required; any low-privilege credential is sufficient to reach the vulnerable ONVIF code path.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted request directly to the ONVIF service without any user participation.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors needed to trigger the format string.

Blast Radius

  • Attacker overwrites stack memory including return addresses, redirecting execution flow to an internal factory-reset function.
  • The factory reset wipes the device configuration, removing all stored credentials and custom settings.
  • Service is disrupted as the device reboots into a default unconfigured state, breaking any dependent automation or monitoring integrations.
  • Loss of stored credentials may expose downstream systems that relied on credentials held on the device.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images within minutes of publication, including custom-built images that incorporate Tapo C110 v2 firmware. For environments running a firmware version below 1.5.4 Build 260428, a patched rebuild at the fix version is available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, HarborGuard surfaces the finding with fix-version detail so teams can act manually. As a compensating control while patching is in progress, teams can apply network policy to restrict access to the ONVIF service port to trusted LAN segments only, reducing the adjacent-network attack surface.

See how HarborGuard automates this

Fix available

1.5.4 Build 260428
Patch commits
Affected packages
  • TP-Link Systems Inc. / Tapo C110 v2
    < 1.5.4 Build 260428 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References