CVE-2026-8714: TP-Link Tapo C520WS v2 RTSP Denial-of-Service Vulnerability
A flaw in the RTSP (Real Time Streaming Protocol) server component of TP-Link Tapo C520WS v2 cameras allows an attacker on the local network to send specially crafted malformed input that causes the streaming service to stop responding. Once triggered, the camera's video streaming capability becomes unavailable until the service is restarted, effectively taking the camera offline for monitoring purposes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-19
NVD description (verbatim)
A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error, causing the RTSP service to enter non-responsive state. Successful exploitation may cause the RTSP in a denial-of-service condition.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8714 is a denial-of-service vulnerability stemming from improper input validation (CWE-20) in the RTSP server implementation of TP-Link Tapo C520WS v2 firmware. The vulnerability permits an unauthenticated attacker with network access to the device to send syntactically invalid RTSP protocol packets that trigger a processing error, rendering the RTSP service unresponsive. The vulnerability does not permit code execution, data theft, or authentication bypass; impact is strictly availability.
Business impact
Organizations relying on Tapo C520WS v2 cameras for continuous security monitoring face operational risk if the RTSP service is disabled. An attacker with local network access could disrupt surveillance capabilities, creating blind spots in physical security coverage. This is particularly concerning in environments where these affordable cameras serve as primary monitoring solutions or where monitoring gaps coincide with physical security incidents. The low barrier to exploitation (no authentication required) and modest technical skill needed to craft malformed packets increase the practical threat.
Affected systems
TP-Link Tapo C520WS v2 devices running vulnerable firmware are affected. Both the camera hardware and its firmware package are listed as affected products. Verify the exact firmware version running on your devices through the camera's administration interface. Organizations should inventory all Tapo C520WS v2 deployments and prioritize affected units, particularly those in critical security monitoring roles.
Exploitability
Exploitation is feasible for attackers with layer-2 or layer-3 network access to the camera. No authentication is required, and the attack surface is the RTSP service port, which may be accessible from the local network or via port forwarding configurations. The low complexity of crafting malformed input packets means that exploitation does not require sophisticated tools or deep protocol expertise. However, the attack requires network proximity, limiting risk from remote threat actors unless the RTSP port is exposed to the Internet.
Remediation
Firmware updates addressing this vulnerability should be obtained from TP-Link and applied to all affected Tapo C520WS v2 devices. Until patches are available or deployed, restrict network access to the RTSP service port (typically UDP/TCP 554) using firewall rules and network segmentation. Disable RTSP access if it is not actively used, and audit configurations to ensure the service is not inadvertently exposed to untrusted networks. Monitor camera accessibility and set up alerting for service interruptions.
Patch guidance
Contact TP-Link support or check the product support page for the latest Tapo C520WS v2 firmware release addressing CVE-2026-8714. Verify patch availability against the vendor advisory before deployment. Apply patches through the camera's web interface or management application, following TP-Link's documented firmware update procedures. Test patches in a non-critical environment first to ensure compatibility with your network and recording infrastructure.
Detection guidance
Monitor RTSP service availability and responsiveness on affected cameras using network-based health checks (e.g., RTSP OPTIONS requests). Implement port scans or service enumeration to confirm RTSP is accessible only to intended networks. Log authentication attempts and connection patterns to the RTSP port. Watch for sudden service restarts or unplanned downtime on Tapo C520WS v2 devices, which may indicate exploitation attempts. Consider deploying intrusion detection rules that flag malformed RTSP packets or protocol violations.
Why prioritize this
Although the CVSS score is moderate (6.5), the practical impact is significant in security-critical deployments. The ease of exploitation, lack of authentication requirement, and broad availability of affordable TP-Link cameras in small-to-medium business and enterprise environments warrant timely patching. Prioritize devices in high-value monitoring locations or those exposed to untrusted networks. Organizations with robust alternative monitoring should deprioritize less critical cameras.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects a network-adjacent attack surface (AV:A), low attack complexity (AC:L), no privilege or user interaction required (PR:N/UI:N), and high impact on availability (A:H). The score does not account for scope or confidentiality/integrity impacts because none exist. In context, the moderate score underrepresents organizational risk in environments heavily dependent on continuous video surveillance, making human risk judgment essential alongside the numerical score.
Frequently asked questions
Can this vulnerability be exploited remotely over the Internet?
Exploitation requires network access to the RTSP service port, typically UDP/TCP 554. If this port is exposed to the Internet via port forwarding or misconfigured firewall rules, remote exploitation is possible. By default, the RTSP service is accessible only on the local network. Audit your network configuration to confirm whether RTSP is exposed externally.
Does this vulnerability allow attackers to access video feeds or steal data?
No. CVE-2026-8714 is strictly a denial-of-service vulnerability. It does not permit unauthorized video access, credential theft, or data exfiltration. The impact is limited to making the RTSP streaming service unresponsive. Confidentiality and integrity of the system remain unaffected.
What happens if the RTSP service is knocked offline by this attack?
The camera's streaming capability becomes unavailable until the RTSP service is restarted, either manually through the camera's web interface or automatically via a reboot. Live monitoring feeds may drop, and dependent applications or integrations will lose connectivity. Systems relying on continuous video streams for alerting or analytics will experience gaps.
Is there a temporary workaround if a patch is not yet available?
Yes. Disable RTSP access if it is not actively used, or restrict access to the RTSP port using firewall rules and network segmentation. Limit connections to the service to only trusted devices and networks. Monitor camera uptime and set up automated health checks to detect and alert on service failures.
This analysis is based on publicly available vulnerability data as of the published date. Patch availability, CVSS scores, and KEV status are subject to change. Verify all patch versions and remediation steps against official TP-Link advisories before deployment. This document is for informational purposes and should not replace a formal risk assessment or vendor guidance. Organizations should conduct their own testing and validation in their specific environments. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-5089MEDIUMArista EOS/CVX DoS via Malformed Messages
- CVE-2025-5090MEDIUMCVX CVE-2025-5090: Input Validation Flaw Leads to Agent Crashes and Denial of Service
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10566MEDIUMMetaGPT Local Deserialization Vulnerability Exploit Available