CVE-2025-14300

Description

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

CVSS breakdown

CVSS 4.0

Attack Vector

Adjacent

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

TP-Link Systems Inc. / Tapo C100 v50 – V5_1.4.4 Build 260303
TP-Link Systems Inc. / Tapo C200 v30 – V3_1.4.5 Build 251104

References

MISChttps://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes
MISChttps://www.tp-link.com/us/support/faq/4849/
MISChttps://www.tp-link.com/en/support/download/tapo-c100/v5/#Firmware-Release-Notes
MISChttps://www.tp-link.com/us/support/download/tapo-c100/v5/#Firmware-Release-Notes
MISChttps://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes