Improper Certificate Validation in TP-Link Tapo H100 and P100 Smart Devices
CVE-2025-15557

7.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Tapo H100 V1
Tapo P100 V1
Vendor
CVE Published:
5 February 2026

What is CVE-2025-15557?

An Improper Certificate Validation vulnerability in TP-Link's Tapo H100 and Tapo P100 allows an attacker on the same network segment to intercept and manipulate encrypted communications between devices and the cloud. This can lead to unauthorized access, data theft, or alteration of device functionalities, jeopardizing the security and privacy of users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Tapo H100 v1 0 < 1.6.1

Tapo P100 v1 0 < 1.2.6

References

https://www.tp-link.com/us/support/download/tapo-h100/
patch
https://www.tp-link.com/us/support/download/tapo-p100/
patch
https://www.tp-link.com/en/support/download/tapo-h100/
patch

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jere Ainasoja and Jack Sundholm from Test of Things
JSON
.