Unauthenticated API Vulnerability in TP-Link Tapo C210 App for iOS and Android
CVE-2025-14553

7HIGH

Key Information:

Vendor: Tp-link Systems Inc.
Status: Tp-link Tapo App
Vendor: CVE Published:; 16 December 2025

🔔 Create Tp-link Systems Inc. Vulnerability Alert

What is CVE-2025-14553?

An unprotected API response in the TP-Link Tapo C210 app for both iOS and Android allows unauthorized disclosure of password hashes. This exposure can enable attackers within the same local network to exploit these hashes through brute force techniques. Users are advised to update their mobile applications to mitigate the risk of unauthorized access, while noting that device firmware does not address this specific issue.

Affected Version(s)

TP-Link Tapo App Android 0 < 3.1.6

TP-Link Tapo App iOS 0 < 3.1.601

References

https://apps.apple.com/us/app/tp-link-tapo/id1472718009

https://play.google.com/store/apps/details?id=com.tplink.iot

https://www.tp-link.com/us/support/faq/4840/

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Dec 11, 2025

Credit

Juraj Nyíri

CVE-2025-14553 Data

JSON