CVE-2026-6239 in Tapo C520WS v2
Summary
by MITRE • 06/06/2026
A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption.
Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denial‑of‑service (DoS) condition that disrupts device configuration and management functions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2026
The Tapo C520WS v2 camera firmware contains a critical stack-based buffer overflow vulnerability within its ONVIF CreateUsers service implementation. This vulnerability stems from inadequate input validation mechanisms that fail to properly constrain the number of XML user nodes processed during request handling. The flaw exists in the device's authentication and authorization framework where the system does not enforce reasonable limits on the number of user entries that can be included in a single CreateUsers request. This represents a classic stack buffer overflow condition classified under CWE-121, where insufficient bounds checking allows malicious input to overwrite adjacent memory locations on the program's stack. The vulnerability specifically affects the ONVIF protocol implementation which is widely used for IP camera management and configuration across the security industry.
The technical exploitation of this vulnerability requires an authenticated attacker who can establish a valid ONVIF session with the device. Once authenticated, the attacker can craft a malicious XML request that includes an excessive number of user node entries beyond the system's expected limits. The device's XML parser processes these entries without proper validation, causing the stack buffer to overflow when the system attempts to store the additional user data. This memory corruption can overwrite critical program execution data including return addresses and stack canaries, potentially leading to arbitrary code execution or service termination. The vulnerability aligns with ATT&CK technique T1210, which covers exploitation of remote services through buffer overflow mechanisms, and demonstrates poor input validation practices that violate security best practices.
The operational impact of this vulnerability manifests as a denial-of-service condition that can completely disrupt the device's management capabilities. When exploited successfully, the ONVIF management service terminates unexpectedly, rendering the device inaccessible through standard management interfaces. This disruption affects not only the device's configuration capabilities but also its ability to maintain network connectivity and security functions. The DoS condition can persist until the device is manually restarted or rebooted, potentially leaving the network segment vulnerable during the outage period. Organizations relying on these devices for security monitoring may experience significant operational disruption, particularly in environments where multiple Tapo devices are deployed and managed through centralized ONVIF interfaces. The vulnerability also creates opportunities for attackers to disrupt business continuity and compromise overall network security posture.
Mitigation strategies should focus on implementing proper input validation and bounds checking within the ONVIF service implementation. Device manufacturers should enforce strict limits on the number of user entries permitted in a single CreateUsers request and implement comprehensive XML parsing validation. Network administrators should ensure that all Tapo devices are updated to the latest firmware versions that address this vulnerability. Additionally, implementing network segmentation and access controls can limit the attack surface by restricting unauthorized access to the ONVIF management interfaces. Security monitoring should include detection of unusual ONVIF request patterns that might indicate exploitation attempts, and regular security assessments should verify that proper input validation mechanisms are in place to prevent similar vulnerabilities from emerging in other services. Organizations should also consider implementing intrusion detection systems that can identify and alert on malformed ONVIF requests that attempt to exploit buffer overflow conditions.