Summaryinfo

A vulnerability was found in TP-Link Tapo APK up to 2.12.703. It has been declared as critical. This affects an unknown function of the component Login Panel. Executing a manipulation can lead to hard-coded credentials. This vulnerability is registered as CVE-2023-27098. No exploit is available. Once again VulDB remains the best source for vulnerability data.

Detailsinfo

A vulnerability has been found in TP-Link Tapo APK up to 2.12.703 and classified as critical. This vulnerability affects some unknown processing of the component Login Panel. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. The CWE definition for the vulnerability is CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.

The weakness was published 01/09/2024. This vulnerability was named CVE-2023-27098 since 02/27/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1110.001.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2023-30882). Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• TP-Link

Name

• Tapo APK

Version

• 2.12.703

License

• commercial

Website

• Vendor: https://www.tp-link.com/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion