PatchSiren cyber security CVE debrief
CVE-2026-6242 TP-Link Systems Inc. CVE debrief
CVE-2026-6242 is a MEDIUM-severity vulnerability with a CVSS score of 6.8. The vulnerability exists in the ONVIF Subscribe service of Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An authenticated attacker may inject crafted format strings into event subscription requests or notification generation paths to disrupt normal service execution, potentially causing the event notification service to terminate unexpectedly. This results in the loss of real-time alarm functionality and disruption of event notifications.
- Vendor
- TP-Link Systems Inc.
- Product
- Tapo C520WS v2
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of Tapo C520WS v2 should be aware of this vulnerability and take necessary actions to mitigate potential risks.
Technical summary
The vulnerability is caused by improper handling of externally supplied parameters within formatting functions in the ONVIF Subscribe service of Tapo C520WS v2. This allows an authenticated attacker to inject crafted format strings, potentially disrupting normal service execution.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply firmware updates from the vendor as available.
- Restrict access to the ONVIF Subscribe service.
- Monitor service logs for suspicious activity.
Evidence notes
The vendor is listed as Unknown Vendor, but evidence suggests the product is from Tp Link.
Official resources
-
CVE-2026-6242 CVE record
CVE.org
-
CVE-2026-6242 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
CVE-2026-6242 was published on 2026-06-06T00:16:41.347Z and modified on 2026-06-08T15:01:06.580Z.