Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link...

7.1 / 10

HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.

Basic Information

ID CVE-2026-1315

Source TPLink

Published Jan 27, 2026 at 17:53

Affected Product

Vendor TP-Link Systems Inc.

Product Tapo C220 v1

Affected Versions TP-Link Systems Inc. Tapo C220 v1 0
TP-Link Systems Inc. Tapo C520WS v2 0

CWE Classification

CWE-20

References

{
    "lastseen": "",
    "description": "By sending crafted files to the firmware update endpoint\u00a0of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity.\u00a0An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.",
    "published": "2026-01-27T17:53:29.242Z",
    "modified": "2026-01-27T17:53:29.242Z",
    "type": "cve",
    "title": "Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS",
    "source": "TPLink",
    "references": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/\nhttps://www.tp-link.com/en/support/download/tapo-c220/v1/\nhttps://www.tp-link.com/us/support/download/tapo-c520ws/v2/\nhttps://www.tp-link.com/en/support/download/tapo-c520ws/v2/\nhttps://www.tp-link.com/us/support/faq/4923/",
    "id": "CVE-2026-1315",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "TP-Link Systems Inc. Tapo C220 v1 0\nTP-Link Systems Inc. Tapo C520WS v2 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tapo C220 v1",
    "version": "0",
    "vendor": "TP-Link Systems Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unauthenticated Denial of Service via Firmware Update Endpoint on TP-Link Tapo C220 & C520WS_CVE-2026-1315