CVE-2026-6250

Vulnerability

An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 (firmware versions below 1.5.4 Build 260428 Rel.64344n) [4]. User-controlled input is improperly handled and interpreted as a format string, allowing manipulation of stack memory, including control flow data such as return addresses [4].

Exploitation

A remote attacker must first authenticate to the ONVIF service. With valid credentials, the attacker can supply a crafted format string as part of an ONVIF request [4]. The vulnerable service then processes this input, enabling memory corruption that redirects execution flow [4].

Impact

By redirecting execution flow to existing internal functions, the attacker can trigger an unauthorized factory reset of the device [4]. This results in loss of configuration, deletion of stored credentials, and service disruption [4].

Mitigation

TP-Link has released firmware version 1.5.4 Build 260428 Rel.64344n to fix this vulnerability [4]. Users with affected Tapo C110 v2 devices should update immediately via the TP-Link download center [1][3][4]. No workaround is documented; the only mitigation is applying the firmware update.