CVE-2023-27098 – TP-Link Tapo mobile applications up to version ... (How to Fix)

Q: What is the severity of CVE-2023-27098?

CVE-2023-27098 has a CVSS score of 7.5 (HIGH). TP-Link Tapo mobile applications up to version 2.12.703 contain hardcoded credentials that allow unauthorized access to the login panel. This affects all users of the vulnerable Tapo APK versions on Android devices. Attackers can use these credentials to bypass authentication and potentially gain control of connected Tapo smart devices.

📋 TL;DR

TP-Link Tapo mobile applications up to version 2.12.703 contain hardcoded credentials that allow unauthorized access to the login panel. This affects all users of the vulnerable Tapo APK versions on Android devices. Attackers can use these credentials to bypass authentication and potentially gain control of connected Tapo smart devices.

💻 Affected Systems

Products:

TP-Link Tapo Android Application

Versions: Up to v2.12.703

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Android APK version of the Tapo app. iOS version may have different security implementation.

📦 What is this software?

Tapo by Tp Link

View all CVEs affecting Tapo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Tapo smart devices connected to the vulnerable app, allowing attackers to view camera feeds, control smart plugs, access home networks, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to Tapo device management interface, enabling attackers to view device status, change settings, and potentially disable security features.

🟢

If Mitigated

Limited impact if devices are isolated from critical networks and app is updated promptly.

🌐 Internet-Facing: HIGH - Mobile apps with hardcoded credentials can be exploited remotely if devices are accessible over the internet.

🏢 Internal Only: MEDIUM - Attackers on the same network could exploit this, but requires proximity or network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Hardcoded credentials are publicly documented in GitHub repositories, making exploitation trivial for attackers with basic technical knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v2.12.703

Vendor Advisory: https://www.tp-link.com/support/contact-technical-support/#LiveChat-Support

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for 'TP-Link Tapo' 3. Check if update is available 4. Install the latest version 5. Restart the application

🔧 Temporary Workarounds

Disable Tapo App Network Access

android

Temporarily restrict the Tapo app's network access until patched

adb shell pm disable-user --user 0 com.tplink.tapo

🧯 If You Can't Patch

Disconnect Tapo devices from the network and use physical controls only
Implement network segmentation to isolate Tapo devices from critical systems

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > TP-Link Tapo > App info. If version is 2.12.703 or lower, you are vulnerable.

Check Version:

adb shell dumpsys package com.tplink.tapo | grep versionName

Verify Fix Applied:

Update app through Google Play Store and verify version is higher than 2.12.703.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login with unusual timing
Authentication logs showing access from unexpected IP addresses

Network Indicators:

Unusual API calls to Tapo device endpoints
Traffic patterns inconsistent with normal user behavior

SIEM Query:

source="tapo_app.log" AND (event="authentication_success" AND user="default_admin")

📊 Metadata

CVE ID: CVE-2023-27098

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

Published: January 9, 2024

Last Updated: June 18, 2025

🔗 References

http://tp-lin.com Broken Link
http://tp-link.com Product
https://github.com/c0d3x27/CVEs/tree/main/CVE-2023-27098 Exploit,Third Party Advisory
https://www.tp-link.com/support/contact-technical-support/#LiveChat-Support Product
http://tp-lin.com Broken Link
http://tp-link.com Product
https://github.com/c0d3x27/CVEs/tree/main/CVE-2023-27098 Exploit,Third Party Advisory
https://www.tp-link.com/support/contact-technical-support/#LiveChat-Support Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27098, you might also want to check these: