CVE-2025-8065

A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS).

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes	Release Notes
https://www.tp-link.com/us/support/faq/4849/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313::::::
	cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922::::::

cpe:2.3:h:tp-link:tapo_c200:3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-20 01:16

Updated : 2026-01-08 19:38

NVD link : CVE-2025-8065

Mitre link : CVE-2025-8065

CVE.ORG link : CVE-2025-8065

JSON object : View

Products Affected

tp-link

tapo_c200
tapo_c200_firmware

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

{"id": "CVE-2025-8065", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-20T01:16:05.410", "references": [{"url": "https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes", "tags": ["Release Notes"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/us/support/faq/4849/", "tags": ["Vendor Advisory"], "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS)."}], "lastModified": "2026-01-08T19:38:13.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CABD8DE6-9904-499D-919F-9DBD42BE6762"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "254031B5-7CC7-4B9D-970B-FAA6EBC3EAFD"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D61B481-8262-44D4-9A1D-9967AB1805DC"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50D2F368-F8C8-41E1-9360-8CDF9F89E566"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF80958C-4274-4DEA-9730-176E3E6F21F2"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AA1B7FA-D418-46B2-A530-BF67E550E38F"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC4382B5-C7EC-4B98-AF28-8D08D0771133"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FCE1F5E-E84B-4CF4-B8A4-7A3448A0D127"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C05AC5C2-5BB7-499A-AE2B-414103317D47"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1ED28D6-9441-440A-81D8-EB539D50BB56"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51E28752-8B46-48CD-86B5-437449AED7C0"}, {"criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ECBC265E-2AA6-471E-A7BE-8F35DDA28645"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tp-link:tapo_c200:3:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "101FA54E-1A3D-4A38-BBD0-8DAFAC414EA3"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630"}