CVE-2026-0918
📋 TL;DR
This vulnerability allows unauthenticated attackers to crash the HTTP service on Tapo C220 v1 and C520WS v2 cameras by sending POST requests with excessively large Content-Length headers. The crash causes temporary denial of service until the device automatically restarts. Only users of these specific camera models are affected.
💻 Affected Systems
- Tapo C220
- Tapo C520WS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Persistent denial of service making cameras unavailable for extended periods, potentially disrupting security monitoring.
Likely Case
Temporary camera unavailability during attacks, with automatic recovery after device restart.
If Mitigated
Minimal impact if cameras are behind firewalls or network segmentation prevents external access.
🎯 Exploit Status
Simple HTTP request manipulation required. No authentication needed. Attack can be automated for persistent DoS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check TP-Link support pages for firmware updates. If available, download and install via camera web interface or mobile app.
🔧 Temporary Workarounds
Network Segmentation
allPlace cameras on isolated VLAN or network segment to limit attack surface
Firewall Rules
allBlock external access to camera HTTP ports (typically 80/443)
🧯 If You Can't Patch
- Implement network access controls to restrict who can reach camera HTTP services
- Monitor for repeated HTTP requests with large Content-Length headers and block offending IPs
🔍 How to Verify
Check if Vulnerable:
Send POST request to camera HTTP service with Content-Length header set to extremely large value (e.g., 9999999999) and observe if service crashesCheck Version:
Check firmware version in camera web interface or mobile app settingsVerify Fix Applied:
Test with same exploit attempt after applying any available firmware updates📡 Detection & Monitoring
Log Indicators:
- Repeated HTTP service crashes
- Device restart logs
- Failed memory allocation errors
Network Indicators:
- Multiple POST requests with abnormally large Content-Length headers from single source
SIEM Query:
source_ip='*' AND http_method='POST' AND http_content_length>1000000000🔗 References
- https://www.tp-link.com/en/support/download/tapo-c220/v1/
- https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
- https://www.tp-link.com/us/support/download/tapo-c100/v5/
- https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
- https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
- https://www.tp-link.com/us/support/faq/4923/
