PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34126 TP-Link Systems Inc. CVE debrief

TP-Link Tapo smart home devices transmit Bluetooth pairing data in cleartext during initial setup, enabling proximity-based attackers to sniff or manipulate device initialization traffic. The vulnerability affects Tapo L535E (v1.0/v3.0) smart bulbs, Tapo P300 (v1.0) smart plugs, and Tapo D100C (v1.0) doorbell chimes. Bluetooth is only active during device initialization, limiting the attack window to the physical setup phase. An attacker within Bluetooth range can eavesdrop on setup communications, modify transmitted configuration data, and potentially gain unauthorized device control before network credentials are established. The D100C chime is bundled with multiple Tapo camera models including D130, D210, D235, D225, TD21, TDB21, and TD25, expanding the affected product footprint. The CVSS 4.0 vector indicates adjacent network attack vector with low attack complexity, requiring physical proximity but no privileges. CWE-319 (Cleartext Transmission of Sensitive Information) is identified as the underlying weakness.

Vendor
TP-Link Systems Inc.
Product
Tapo L535E v1.0, v3.0
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

IoT security teams, smart home installers, facilities management deploying Tapo devices, consumer electronics retailers, and organizations with bring-your-own-device IoT policies should prioritize this vulnerability due to the ease of proximity exploitation during routine device provisioning.

Technical summary

The vulnerability exists in the Bluetooth Low Energy (BLE) implementation used during device provisioning. When users initialize affected Tapo devices through the mobile application, setup data—including potentially sensitive configuration parameters—is transmitted without encryption. This occurs exclusively during the initialization phase when Bluetooth is active; normal operational communication uses Wi-Fi. The attack requires physical proximity (Bluetooth range, typically ~10 meters) and timing coordination with legitimate device setup. Successful exploitation enables passive eavesdropping (information disclosure) or active manipulation (integrity compromise) of setup data, with potential for unauthorized device control if authentication tokens or credentials are intercepted or modified during transmission. The CVSS 4.0 score of 7.3 reflects high impacts to confidentiality and integrity with adjacent network access requirements.

Defensive priority

HIGH

Recommended defensive actions

  • Verify Tapo device firmware versions against vendor release notes for encryption fixes
  • Conduct Bluetooth security assessment during device provisioning workflows
  • Implement physical security controls to prevent unauthorized proximity access during device initialization
  • Monitor for anomalous Bluetooth pairing attempts in deployment environments
  • Review network segmentation for IoT devices to limit blast radius of compromised initial setup
  • Coordinate with facilities teams to ensure trusted personnel perform device onboarding
  • Document affected camera bundles (D130, D210, D235, D225, TD21, TDB21, TD25) for inventory verification

Evidence notes

Vulnerability confirmed through official TP-Link firmware release notes and security FAQ documentation. Bluetooth sniffing and man-in-the-middle techniques are identified attack vectors. Affected device models and firmware versions explicitly listed in vendor disclosures.

Official resources

2026-05-28