Replay Attack Vulnerability in TPLink Smart Bulb Tapo Series
CVE-2023-38907

7.5HIGH

Key Information:

Vendor: Tp-link
Status: Tapo L530e Firmware
Vendor: CVE Published:; 25 September 2023

What is CVE-2023-38907?

An identified vulnerability in TPLink's Tapo series of smart bulbs allows remote attackers to replay previously intercepted messages due to weaknesses in message encryption. This can occur when valid session keys are still in use, enabling unauthorized access to controls and functions of the affected devices. Users with products such as the Tapo L530, L510E, L630, P100, and the Tapo Application are particularly at risk, as outdated firmware versions may be exploited by attackers to compromise household security.

References

https://www.scitepress.org/PublicationsDetail.aspx?ID=X/a...

https://arxiv.org/abs/2308.09019

https://www.scitepress.org/Papers/2023/120929/120929.pdf

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2023
Vulnerability Reserved
Jul 25, 2023

Tp-link

What is CVE-2023-38907?

References

CVSS V3.1

Timeline