MEDIUM 6.5

CVE-2026-1871: TP-Link Tapo C200 v5 RTSP Buffer Overflow DoS Vulnerability

TP-Link Tapo C200 v5 camera firmware contains a flaw in how it validates incoming RTSP (Real Time Streaming Protocol) authentication requests. An attacker on the local network can send a specially crafted authentication message that overflows a memory buffer, crashing the camera's streaming service and forcing an automatic reboot. During this outage, users cannot view live video or manage the camera remotely. Once the camera restarts, service is restored, but the vulnerability remains exploitable, making repeated attacks feasible.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
11 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler of TP-Link Tapo C200 v5 firmware. The root cause is insufficient validation of the Authorization header field length in RTSP requests. When an attacker sends an oversized Authorization header, the parser fails to enforce bounds checking and writes beyond the allocated stack buffer. This memory corruption triggers a crash of the RTSP core service process, which the camera's watchdog or system logic interprets as a fatal error, initiating an automatic reboot. The vulnerability requires network adjacency (local network access) and no authentication to trigger, but results only in denial of service rather than code execution or information disclosure.

Business impact

Organizations deploying Tapo C200 v5 cameras for surveillance, access monitoring, or physical security lose real-time visibility and remote management capability during attacks. For businesses relying on continuous security monitoring, even brief outages create blind spots. Repeated exploitation (the vulnerability is not self-healing) can disrupt operations and confidence in the surveillance infrastructure. The impact is contained to availability; no sensitive data is exposed or corrupted by this flaw.

Affected systems

TP-Link Tapo C200 v5 firmware is confirmed affected. The vulnerability is specific to version 5 of the Tapo C200 hardware model; other Tapo or TP-Link models and firmware versions may have different exposure. Organizations should verify their exact hardware revision and firmware version before applying mitigations. Consult TP-Link's security advisories for the precise list of affected firmware builds and any mention of other Tapo models.

Exploitability

The vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM severity). It is exploitable over a local network without requiring the attacker to authenticate to the camera beforehand or interact with a user. The attack is straightforward: craft and send a malformed RTSP Authorization header. However, it does not appear in the CISA Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild is not yet documented. The barrier to local network access and the denial-of-service-only outcome (no remote code execution) reduce the urgency, but the simplicity of the attack means opportunistic exploitation by local network adversaries is plausible.

Remediation

Apply TP-Link's patched firmware for Tapo C200 v5 as soon as it becomes available. Mitigating controls include: (1) restricting RTSP access to trusted local network segments or a VPN; (2) disabling RTSP access if not actively used; (3) segmenting cameras onto a dedicated IoT network separate from critical infrastructure; (4) implementing network monitoring to detect unusual RTSP traffic patterns. These measures reduce exposure but do not eliminate the vulnerability until a patch is deployed.

Patch guidance

Monitor TP-Link's official security advisories and support portal for a patched firmware release for Tapo C200 v5. When available, update the camera via its web management interface or mobile app, following TP-Link's documented update procedure. Firmware updates for Tapo cameras typically require the device to be powered and connected to the network. Test the update in a non-critical environment first if possible. Verify the camera's firmware version post-update to confirm the patch was successfully applied. Maintain a record of firmware versions in your asset inventory to track compliance.

Detection guidance

Monitor network traffic for unusually long or malformed RTSP Authorization headers destined to Tapo C200 devices. Look for repeated RTSP connection failures followed by camera reboot events in your device logs or network security tools. If available, enable debug or verbose logging on the camera's RTSP service. In the absence of detailed logs, correlate camera downtime events with suspicious inbound RTSP traffic. Network intrusion detection systems (IDS) or next-generation firewalls with RTSP inspection may flag oversized Authorization headers if properly tuned. Note that simple DoS attacks often go unnoticed until users report access issues, so proactive network monitoring is valuable.

Why prioritize this

Prioritize patching based on environment and camera usage. High-priority if the camera is mission-critical for physical security or compliance monitoring, or if it is exposed to a hostile or semi-trusted local network. Medium-priority in controlled corporate environments with restricted network access and low-security cameras. Low-priority for cameras in locked-down networks with no untrusted users. Since the flaw is not yet widely exploited (not in CISA KEV) and requires local network access, organizations in secure, isolated networks may defer patching until patch verification and deployment resources are available, but should plan an update cycle within 90 days.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a MEDIUM-severity denial-of-service vulnerability. The Attack Vector is Adjacent (local network only), which reduces severity compared to remotely exploitable flaws. Attack Complexity is Low, meaning an attacker with network access can trivially craft the trigger. Privileges Required and User Interaction are both None, increasing exploitability. The impact is limited to Availability (high), with no Confidentiality or Integrity impact. The score appropriately balances the straightforward attack mechanism against the limited scope of harm. However, in environments where camera availability is operationally critical, the business impact may warrant treating this as higher-priority than the base CVSS score suggests.

Frequently asked questions

Can this vulnerability lead to unauthorized access or data theft from the camera?

No. This is a pure denial-of-service flaw. Successful exploitation crashes the RTSP service, but does not bypass authentication, expose video streams, extract credentials, or modify camera settings. The attacker can only disrupt availability, not compromise confidentiality or integrity.

Do I need local network access to exploit this vulnerability?

Yes. The attacker must be on the same local network segment as the camera or able to route RTSP traffic to it. This might be via WiFi if the camera is on an open or compromised network, or via physical access to a wired network. Remote internet-based exploitation is not possible.

What should I do if my Tapo C200 v5 keeps rebooting unexpectedly?

Unexpected reboots could indicate active exploitation attempts. Verify your camera's firmware version and begin planning an update. In the interim, isolate the camera to a trusted network segment, disable remote RTSP access if not needed, and review any available logs for signs of malformed requests. Contact TP-Link support if reboots persist after network isolation.

Is there a temporary workaround if I cannot patch immediately?

Complete elimination of the flaw requires a firmware patch, but you can significantly reduce risk by: disabling RTSP access in the camera settings if you do not use it; restricting the local network to trusted devices and users; placing the camera on a separate IoT VLAN with ingress filtering; and monitoring for unusual RTSP traffic patterns. These controls buy time while you plan a patch deployment.

This analysis is based on the CVE record published on 2026-06-02 and modified on 2026-06-17. Patch availability, affected firmware versions, and remediation timelines should be verified directly with TP-Link's official security advisories and product documentation. SEC.co does not provide legal, compliance, or liability guidance; organizations must assess risk within their own threat model and regulatory context. Exploit code, weaponized proof-of-concept materials, or detailed attack instructions are not included in this publication. Use of this information is at the reader's own risk and responsibility. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).