TL;DR
TP-Link has patched two information disclosure flaws in Kasa EC70 v4 and EC71 v4 cameras. The more severe TP-Link Kasa vulnerability, CVE-2026-9770 (CVSS 8.6), stems from a hardcoded cryptographic key that enables credential interception. A second flaw, CVE-2026-13230 (CVSS 5.3), leaks geolocation data without authentication. TP-Link reports no in-the-wild exploitation, and no public proof-of-concept exists.
Why It Matters
Kasa cameras sit inside homes and small offices, watching private spaces. Both flaws require only local network access, not internet exposure. Consequently, a guest on your Wi-Fi or a compromised smart device could reach them. TP-Link’s advisory warns that attackers may “intercept or obtain administrative credentials.” Stolen admin access to a camera means full control of the video feed.
How the Attacks Work
CVE-2026-9770: Hardcoded Cryptographic Key
A hardcoded key sits embedded in the system image. That key breaks the confidentiality of traffic to the web management interface. As a result, an attacker on the local network could run a machine-in-the-middle attack and capture admin credentials.
CVE-2026-13230: Geolocation Leak
The local discovery mechanism exposes geolocation data without any authentication. This TP-Link Kasa vulnerability affects confidentiality only. TP-Link found no evidence of integrity or availability impact.
- Total: 2 CVEs
- Severity: 1 High · 1 Medium
- Actively exploited: None confirmed
- Highest severity: 8.6 (High · CVSSv4) — CVE-2026-9770
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-9770 | 8.6 | Hardcoded Cryptographic Key Information Disclosure on TP-Link Kasa EC70 and EC71 | 2.4.0 Build 20260520 rel.4191 | Not exploited |
| CVE-2026-13230 | 5.3 | Information Disclosure in Local Discovery Response in TP-Link Kasa EC70 and EC71 | 2.4.1 Build 20260621 rel.76536 | Not exploited |
Affected Versions
Both flaws affect Kasa EC70 v4 and EC71 v4 devices. TP-Link fixed them in firmware 2.4.0 Build 20260520 rel.4191 and 2.4.1 Build 20260621 rel.76536.
Patch and Mitigation Steps
Update affected cameras to the latest firmware through the TP-Link download pages for EC70 and EC71. Next, update the Kasa mobile app on your device. Meanwhile, place IoT cameras on a segmented guest network to limit local attack paths. TP-Link publishes further guidance in its firmware update instructions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.