An attacker sending malformed requests over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.
This report describes a cryptographic design vulnerability, which enables offline password bruteforce, which may leads to TAPO cloud account compromise.
The vulnerability we are disclosing in this advisory affects a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory has not yet been released for this vulnerability.
Vulnerability Details The following diagram summarizes the TAPO camera authentication procedure:
First, the client queries the acn, then calculates the digest password the following way: H(cnonce + H(pw) + acn) + acn + cnonce The device_confirm value contains the hashed password to prove the identity of the device to the app (or other party), as follows: H(cnonce + H(pw) + acn) + acn + cnonce = device_confirm.
An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.
This report describes a stack buffer overflow, which leads to remote code execution.
The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34122.
Vulnerability Details There is an unsafe strcpy in the handler function of the set_park_config DS action of the HTTP server in TAPO devices:
ds_set_park_config() { iVar1 = get_some_global(); if (iVar1 != 0) { memcpy(&local_48,(void *)(iVar1 + 0x10),0x38); action_mode = jso_obj_get_string_origin(root,"enabled"); if ((action_mode !
An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here.
This report describes a secure protocol design issue, which leads to authentication bypass in the proprietary Xiaomi miIO protocol.
The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.
Vulnerability Details For packets received in UDP port 54321, the miio_client binary verifies the MAC and then decrypts the received packet.
An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here.
This report describes a use of cryptographically weak PRNG implementation issue, which leads to reliable prediction of cryptographic primitives used in the proprietary Xiaomi miIO protocol’s authentication and key agreement procedure.
The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.
An attacker sending a malformed miIO message over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here.
This report describes a heap buffer overflow, which leads to remote code execution.
The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.
Vulnerability Details Due to a flaw in the design of the handshake sequence, it is possible to complete the setup flow without knowledge of the setup code by replaying certain values that the camera sends.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is stack buffer overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32874.
Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Later the codec information is extracted from this internal representation by calling several codec extracting functions.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed multipart SIP messages containing SMS data.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32886.
Vulnerability Details SIP supports the processing of multipart requests (as described in RFC 1341), where a single message can contain multiple body parts, with different content type. In these messages each body fragment is separated by a boundary tag, that is defined in the boundary parameter of the Content-Type MIME header.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is unbounded recursion based stack overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32887.
Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, inet_msg_unpack_header is called to parse the various MIME headers. This function inet_msg_mime_skip_comment is reached from inet_msg_mime_skipws (and other inet_msg_skipcfws* functions) and it recursively seeks over the comments from the header in order to remove white-spaces around and comments from the MIME header values.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888.
Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, cc_call_set_peer_addr is responsible for updating the session description object with the peer information. When the SIP message contains the P-Asserted-Identity header, the vulnerable cc_call_replace_double_quote function is called to replace double quotes with the <ascii_34> string.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is intra-structure overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32889.
Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Based on that, later, the session object’s des_audio structure is populated with the AMR/AMR-WB codec info.