Ddos 
A critical security vulnerability has been discovered in TP-Link’s VIGI series surveillance cameras, allowing attackers on a local network to bypass authentication and seize full administrative control. The flaw, detailed in a new security advisory, affects the password recovery feature of the cameras’ local web interface.
The vulnerability, tracked as CVE-2026-0629, carries a high severity CVSS score of 8.7. It stems from a failure in how the device validates password reset requests.
“Authentication bypass in the password recovery feature of the local web interface in VIGI cameras allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state,” the advisory explains.
Essentially, an attacker connected to the same local area network (LAN) as the camera can trick the system into resetting the administrator password without providing the necessary proof of identity.
The impact of this flaw is severe. Once an attacker has reset the password, they can log in as the administrator, giving them unrestricted access to the camera’s settings and feed.
“Attackers can gain full administrative access to the device, compromising configuration and network security,” the advisory wanrs.
This level of access could allow an intruder to disable recording, alter network settings, or pivot to other devices on the network.
The advisory lists a wide range of affected models, including the VIGI C340, C440, C540, and the InSight series. TP-Link has released firmware updates to address the issue across these product lines.
For example, the popular VIGI C340 2.0 model is fixed in firmware version 2.1.0 Build 250701 Rel.49304n or later. Users are strongly urged to verify their specific model and firmware version against the full list provided in the advisory.
TP-Link recommends that all users with affected devices update their firmware immediately to close this security gap. Firmware updates can be found at the official TP-Link Download Center for your respective region.
Related Posts:
- TP-Link NVR Update: Command Injection Flaws Expose Devices to Remote Code Execution
- PoC Released for Unauthenticated RCE Vulnerability in TP-Link VIGI NVR4032H Network Video Recorder
- CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
- Google Discover Evolves into a Multimedia Hub, Integrating Instagram, X, and YouTube
- TP-Link Router Flaw CVE-2023-28760 Allows Root RCE via LAN, PoC Available
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
