Executive Summary

CVE-2026-6250 is an authenticated format string vulnerability in the ONVIF service of the Tapo C110 v2 camera that lets externally controlled data be interpreted as a format specifier, corrupting stack memory including return addresses. The practical outcome is a remote attacker redirecting execution into an internal factory reset routine, wiping configuration and stored credentials and taking the camera offline.

Technical Exposure Breakdown

The defect lives in the ONVIF service, the standardized interface used for device discovery, configuration, and media streaming across IP cameras. ONVIF is a SOAP over HTTP protocol, and the C110 v2 passes user-controlled string fields from authenticated requests into a formatting function without sanitizing format specifiers. When an attacker injects sequences such as %x, %n, or width specifiers, the underlying C library reads from or writes to stack memory locations the caller never intended to expose.

The %n class of specifiers is the dangerous one. It writes the number of bytes output so far into a pointer pulled from the stack. With controlled offsets, an attacker overwrites a saved return address and redirects control flow. The reported impact is not full arbitrary code execution but a return-to-existing-function technique, pointing execution at an internal factory reset handler already resident in the firmware. That distinction matters for exploit reliability. The attacker does not need to stage shellcode or defeat memory protections on the device. They only need to land control flow on a known internal entry point, which is far easier on a constrained embedded target.

The vulnerability requires authentication, which narrows the threat to credentialed sessions. In OT environments that constraint is weaker than it sounds. Camera credentials are frequently shared, default, or stored in plant documentation and HMI configurations. ONVIF accounts are commonly provisioned with weak passwords and rarely rotated. A single compromised engineering workstation or a captured ONVIF credential converts this from a theoretical bug into a one-request denial of service against every affected camera reachable on the network.

OT Impact and Compliance Risk

The Tapo C110 is a consumer-grade camera, but it shows up in industrial and utility settings far more than vendors admit: substation yards, pump house monitoring, perimeter coverage at water treatment plants, and pipeline valve stations. These deployments treat the camera as a physical security sensor, not an IT asset, so they often sit outside formal patch and inventory programs.

An unauthorized factory reset destroys configuration, deletes stored credentials, drops the device from its network and recording infrastructure, and silences the video feed. For a perimeter or access-control camera, that is a loss of physical situational awareness at the exact moment an adversary may want it gone. The reset also breaks any RTSP or ONVIF integration with a video management system, so the gap may not be noticed until an operator checks the wall.

The compliance exposure is direct. Under NERC CIP-006 physical security of BES Cyber Systems, a forced loss of monitoring at a substation can create an unmonitored access point. For water and wastewater operators, AWIA 2018 risk and resilience assessments assume the integrity of physical monitoring controls. Under IEC 62443, this is a failure of input validation at the component level (CR 3.5) and an availability impact (FR 7). TSA SD-02C pipeline operators carrying these cameras at remote facilities should treat the device as a network-connected asset subject to segmentation requirements.

Compensating Controls

Do not rely on a firmware update reaching these devices on any reasonable timeline. Consumer camera patch cadence does not match OT change windows, and field replacement is often the realistic remediation.

BreachSpider Intel

BreachSpider tracks ONVIF and embedded camera exposure across OT estates so operators can identify affected Tapo C110 v2 units and correlate exploitation activity before a perimeter goes dark.