TP-LINK Tapo C200 remote code execution vulnerability
CVE-2021-4045

9.8CRITICAL

Key Information:

Vendor: Tp-link
Status: Tapo C200
Vendor: CVE Published:; 10 March 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 36%

Summary

TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.

Affected Version(s)

Tapo C200 1.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-4045-PoC
Created by hacefresko

CVE-2021-4045
Created by pl4int3xt

References

https://www.incibe-cert.es/en/early-warning/security-advi...

x_refsource_CONFIRM

http://packetstormsecurity.com/files/168472/TP-Link-Tapo-...

x_refsource_MISC

EPSS Score

36% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 26, 2023
👾
Exploit known to exist
Dec 26, 2023
Vulnerability published
Mar 10, 2022
Vulnerability Reserved
Dec 2, 2021

Credit

Víctor Fresco Perales