Authentication Bypass in Tapo C200 V3 by TP-Link
CVE-2025-14300

8.7HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Tapo C200 V3
Tapo C100 V5
Vendor
CVE Published:
20 December 2025

What is CVE-2025-14300?

The Tapo C200 V3 from TP-Link has a significant security flaw within its HTTPS service, exposing a connectAP interface that lacks adequate authentication mechanisms. This vulnerability allows an unauthenticated attacker on the same local network segment to exploit the device, enabling them to alter Wi-Fi settings. Such unauthorized changes can lead to loss of connectivity for legitimate users and can result in a denial-of-service situation, impacting the overall functionality of the device.

Affected Version(s)

Tapo C100 v5 0

Tapo C200 V3 0

References

https://www.tp-link.com/us/support/download/tapo-c200/v3/...
patch
https://www.tp-link.com/us/support/faq/4849/
vendor-advisory
https://www.tp-link.com/en/support/download/tapo-c100/v5/...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Simone Margaritelli (evilsocket)
.