CVE-2026-6250
An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format st...
Affects 0 products across 1 vendor.
The Tapo C110 v2 IP camera's ONVIF service contains an authenticated format string vulnerability that allows a remote attacker with valid credentials to manipulate stack memory and redirect execution flow. An attacker can exploit this to trigger an unauthorized factory reset, erasing all device configuration, stored credentials, and causing service disruption. In OT environments where these cameras provide physical security monitoring of critical infrastructure, this could blind operators to site conditions and erase access control configurations.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2026-6250?
Is CVE-2026-6250 actively exploited?
How do I remediate CVE-2026-6250?
What systems are affected by CVE-2026-6250?
| CVE ID | CVE-2026-6250 |
|---|---|
| Published | 2026-06-11 |
| Last Modified | 2026-06-11 |
| ICS Relevance | 75% |
| Weakness (CWE) | |
| Source | NVD |
An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption.
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Tp-Link | — | — |
No vendor patch or advisory is publicly available at time of analysis. Monitor TP-Link Tapo security advisories and firmware release notes for CVE-2026-6250 remediation.
| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy rules at the network perimeter firewall and IDS/IPS sensors on the camera VLAN segment. Block all inbound ONVIF traffic (TCP ports 80, 443, 8080, and ONVIF Discovery UDP 3702) from any source other than explicitly authorized management workstations. Additionally, apply a whitelist ACL so only known management IPs can reach the camera management interface. Rate-limit authentication attempts to the ONVIF service.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →