CVE-2025-14300

Summary

The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.Tapo C200 V30 < V3_1.4.5 Build 251104affected
TP Link Systems Inc.Tapo C100 v50 < V5_1.4.4 Build 260303affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References