VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 7, 2022· Updated Sep 17, 2024

TP-LINK Tapo C200 remote code execution vulnerability

CVE-2021-4045

Description

TP-Link Tapo C200 IP camera firmware 1.1.15 and below contains an unauthenticated RCE in uhttpd, allowing full device takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TP-Link Tapo C200 IP camera firmware 1.1.15 and below contains an unauthenticated RCE in uhttpd, allowing full device takeover.

Vulnerability

An unauthenticated remote code execution vulnerability exists in the uhttpd binary running as root on TP-Link Tapo C200 IP cameras with firmware version 1.1.15 and below [1]. The flaw allows an attacker to inject arbitrary commands without any prior authentication or configuration changes.

Exploitation

An attacker needs only network access to the camera's IP address on the default HTTP port. No credentials or user interaction are required. The vulnerability can be triggered by sending a specially crafted HTTP request to the affected uhttpd service, which fails to sanitize input, enabling command injection [1].

Impact

Successful exploitation results in full remote code execution as the root user. The attacker gains complete control over the camera, including the ability to modify firmware, exfiltrate video/audio streams, pivot to other devices on the local network, or render the camera inoperable [1].

Mitigation

TP-Link released firmware version 1.1.16 to address this issue. Users should update to the latest firmware via the official TP-Link support page or the Tapo app. No workaround is available if the camera cannot be updated; however, isolating the camera on a separate VLAN or behind a firewall may reduce exposure [1].

References
  1. INCIBE-CERT | INCIBE

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • TP-Link/Tapo C200llm-fuzzy2 versions
    <=1.1.15+ 1 more
    • (no CPE)range: <=1.1.15
    • (no CPE)range: 1.15

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `setLanguage` method in the uhttpd binary does not properly sanitize input, allowing for command injection."

Attack vector

An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the device's web interface. The request targets the `setLanguage` method and includes a payload that injects shell commands. These commands are then executed with root privileges on the camera. The exploit uses a reverse shell to establish a connection back to the attacker's machine, granting them full control. [ref_id=1]

Affected code

The vulnerability resides within the uhttpd binary, which runs with root privileges. The `setLanguage` method is identified as the entry point for the exploit, where unsanitized input in the `params.payload` field leads to command execution. [ref_id=1]

What the fix does

The advisory does not specify a patch or provide details on how the vulnerability is fixed. It is recommended to update to a firmware version that addresses this issue, though specific version details are not provided.

Preconditions

  • authThe vulnerability is unauthenticated.
  • networkThe attacker must be able to reach the device over the network.
  • inputThe attacker must be able to send a POST request to the device's web interface.

Reproduction

The provided reference [ref_id=1] includes Python code demonstrating how to trigger the vulnerability by sending a POST request with a malicious payload to the victim's IP address.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.