CVE-2025-14553

Summary

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.TP-Link Tapo App0 < 3.1.6affected
TP-Link Systems Inc.TP-Link Tapo App0 < 3.1.601affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References