Executive Summary
CVE-2026-6250 is an authenticated format string vulnerability in the ONVIF service of the Tapo C110 v2 camera that lets externally controlled data be interpreted as a format specifier, corrupting stack memory including return addresses. The practical outcome is a remote attacker redirecting execution into an internal factory reset routine, wiping configuration and stored credentials and taking the camera offline.
Technical Exposure Breakdown
The defect lives in the ONVIF service, the standardized interface used for device discovery, configuration, and media streaming across IP cameras. ONVIF is a SOAP over HTTP protocol, and the C110 v2 passes user-controlled string fields from authenticated requests into a formatting function without sanitizing format specifiers. When an attacker injects sequences such as %x, %n, or width specifiers, the underlying C library reads from or writes to stack memory locations the caller never intended to expose.
The %n class of specifiers is the dangerous one. It writes the number of bytes output so far into a pointer pulled from the stack. With controlled offsets, an attacker overwrites a saved return address and redirects control flow. The reported impact is not full arbitrary code execution but a return-to-existing-function technique, pointing execution at an internal factory reset handler already resident in the firmware. That distinction matters for exploit reliability. The attacker does not need to stage shellcode or defeat memory protections on the device. They only need to land control flow on a known internal entry point, which is far easier on a constrained embedded target.
The vulnerability requires authentication, which narrows the threat to credentialed sessions. In OT environments that constraint is weaker than it sounds. Camera credentials are frequently shared, default, or stored in plant documentation and HMI configurations. ONVIF accounts are commonly provisioned with weak passwords and rarely rotated. A single compromised engineering workstation or a captured ONVIF credential converts this from a theoretical bug into a one-request denial of service against every affected camera reachable on the network.
OT Impact and Compliance Risk
The Tapo C110 is a consumer-grade camera, but it shows up in industrial and utility settings far more than vendors admit: substation yards, pump house monitoring, perimeter coverage at water treatment plants, and pipeline valve stations. These deployments treat the camera as a physical security sensor, not an IT asset, so they often sit outside formal patch and inventory programs.
An unauthorized factory reset destroys configuration, deletes stored credentials, drops the device from its network and recording infrastructure, and silences the video feed. For a perimeter or access-control camera, that is a loss of physical situational awareness at the exact moment an adversary may want it gone. The reset also breaks any RTSP or ONVIF integration with a video management system, so the gap may not be noticed until an operator checks the wall.
The compliance exposure is direct. Under NERC CIP-006 physical security of BES Cyber Systems, a forced loss of monitoring at a substation can create an unmonitored access point. For water and wastewater operators, AWIA 2018 risk and resilience assessments assume the integrity of physical monitoring controls. Under IEC 62443, this is a failure of input validation at the component level (CR 3.5) and an availability impact (FR 7). TSA SD-02C pipeline operators carrying these cameras at remote facilities should treat the device as a network-connected asset subject to segmentation requirements.
Compensating Controls
Do not rely on a firmware update reaching these devices on any reasonable timeline. Consumer camera patch cadence does not match OT change windows, and field replacement is often the realistic remediation.
- Network isolation. Place all ONVIF cameras on a dedicated VLAN with no routed path from IT or engineering subnets. Restrict ONVIF and RTSP ports (typically 80, 554, 2020, 8000) to the video management server by source IP only.
- Virtual patch at the perimeter. Block external authenticated ONVIF SOAP traffic that contains format specifier sequences in user-controllable string fields before it reaches the device.
- Suricata concept. Alert on HTTP POST traffic to ONVIF endpoints where the SOAP body contains percent-formatted tokens such as
%n,%x, or repeated%patterns inside element values. Match oncontent:"onvif"; http.request_body; pcre:"/%[0-9.\-]*[nxsp]/"and drop the session. Tune against legitimate payloads that may carry literal percent signs. - Credential hygiene. Rotate all ONVIF accounts, remove defaults, and pull camera credentials out of shared documentation.
- Avoid active scanning of the live device. Probing the ONVIF stack with format string fuzzing can itself trigger the reset or hang the camera. Validate against a bench unit, never on a deployed substation or pump house camera.
BreachSpider Intel
BreachSpider tracks ONVIF and embedded camera exposure across OT estates so operators can identify affected Tapo C110 v2 units and correlate exploitation activity before a perimeter goes dark.