PatchSiren cyber security CVE debrief

CVE-2026-6250 TP-Link Systems Inc. CVE debrief

CVE-2026-6250 is an authenticated format string vulnerability in the ONVIF service of Tapo C110 v2. This vulnerability allows a remote authenticated attacker to manipulate stack memory, including control flow data such as return addresses, by interpreting externally controlled data as a format string. Consequently, the attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset. This can lead to loss of configuration, deletion of stored credentials, and service disruption.

Vendor: TP-Link Systems Inc.
Product: Tapo C110 v2
CVSS: HIGH 7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-12
Advisory published: 2026-06-11
Advisory updated: 2026-06-12

Who should care

Users of Tapo C110 v2 devices should be aware of this vulnerability and take necessary actions to mitigate the risk.

Technical summary

The vulnerability exists due to improper handling of user-controlled input in the ONVIF service of Tapo C110 v2. A remote authenticated attacker can exploit this vulnerability to manipulate stack memory and potentially execute arbitrary code.

Defensive priority

High

Recommended defensive actions

Apply firmware updates from the vendor as soon as they become available.
Restrict access to the ONVIF service to only trusted users and networks.
Monitor device logs for suspicious activity.

Evidence notes

The CVE record and NVD detail pages provide additional information about this vulnerability.

Official resources

CVE-2026-6250 CVE record
CVE.org
CVE-2026-6250 NVD detail
NVD
Source item URL
nvd_modified
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630

CVE-2026-6250 was published on 2026-06-11T22:16:57.870Z and modified on 2026-06-12T16:06:17.027Z.