CVE-2026-6240 Overview
CVE-2026-6240 is a stack-based buffer overflow [CWE-121] in the TP-Link Tapo C520WS v2 wireless camera. The flaw resides in the Open Network Video Interface Forum (ONVIF) DeleteUsers service. The service fails to enforce boundary checks when processing multiple user deletion parameters. An authenticated attacker on an adjacent network can submit a crafted request containing an excessive number of user identifiers. The oversized input overflows stack memory, producing a service crash or deadlock. Exploitation degrades device management and live monitoring functionality of the affected camera.
Critical Impact
Authenticated adjacent-network attackers can trigger a denial-of-service condition that disables camera management and video monitoring on Tapo C520WS v2 devices.
Affected Products
- TP-Link Tapo C520WS v2 (hardware revision v2)
- Tapo C520WS firmware exposing the ONVIF DeleteUsers service
- Deployments using ONVIF-based management for the Tapo C520WS v2 camera
Discovery Timeline
- 2026-06-06 - CVE-2026-6240 published to the National Vulnerability Database (NVD)
- 2026-06-08 - CVE-2026-6240 last updated in NVD
Technical Details for CVE-2026-6240
Vulnerability Analysis
The vulnerability stems from missing length validation inside the ONVIF DeleteUsers request handler on the Tapo C520WS v2. ONVIF is a standardized SOAP/XML protocol used by IP cameras for management and configuration. The DeleteUsers operation accepts a list of user identifier tokens to remove from the device user database. The handler copies these identifiers into a fixed-size stack buffer without verifying the total count or cumulative size. Supplying an unusually large set of identifiers writes past the buffer boundary and corrupts adjacent stack frame data such as saved registers and return addresses. The corruption causes the ONVIF service process to crash or enter a deadlock state. The result is denial of service against the camera's management plane and monitoring interface.
Root Cause
The root cause is insufficient boundary checking [CWE-121] when iterating over user-supplied identifier arrays in the DeleteUsers SOAP handler. The handler trusts attacker-controlled element counts and lengths instead of bounding writes to the destination stack buffer.
Attack Vector
Exploitation requires authentication and adjacent network access, meaning the attacker must already hold valid high-privilege credentials and reside on the same logical network segment as the camera. The attacker sends a malformed ONVIF SOAP request to the DeleteUsers endpoint containing an excessive number of identifier parameters. The malformed payload overflows the stack buffer and crashes the ONVIF service.
No verified proof-of-concept code is publicly available. The vulnerability mechanism is described in the TP-Link firmware release notes referenced by the NVD entry. See the TP-Link Firmware Release Notes and TP-Link FAQ on Tapo C520WS for vendor technical detail.
Detection Methods for CVE-2026-6240
Indicators of Compromise
- Unexpected restart, crash, or hang of the ONVIF service process on Tapo C520WS v2 cameras
- Loss of video feed or management API responsiveness following authenticated ONVIF SOAP traffic
- ONVIF DeleteUsers requests containing abnormally large arrays of user identifier tokens
- Repeated authenticated SOAP requests originating from a single adjacent host targeting the camera
Detection Strategies
- Inspect ONVIF SOAP request payloads for DeleteUsers operations with identifier counts exceeding documented administrative norms
- Alert on ONVIF service crashes or watchdog-triggered camera reboots correlated with administrative API traffic
- Baseline normal ONVIF management traffic volume and flag deviations from the expected administrative hosts
Monitoring Recommendations
- Forward camera syslog and ONVIF service logs to a central log platform for crash and authentication failure correlation
- Monitor adjacent VLAN segments hosting IP cameras for unexpected SOAP/XML traffic to ONVIF endpoints
- Track administrative authentication events against camera accounts and alert on anomalous source addresses
How to Mitigate CVE-2026-6240
Immediate Actions Required
- Apply the latest Tapo C520WS v2 firmware update published in the TP-Link release notes once available for your region
- Restrict ONVIF management access to a dedicated administrative VLAN isolated from general user networks
- Rotate administrative credentials on all Tapo C520WS v2 cameras to limit the pool of accounts able to reach the vulnerable endpoint
- Disable ONVIF on cameras that do not require third-party video management system integration
Patch Information
TP-Link addresses the vulnerability through firmware updates distributed via the official support portal. Refer to the TP-Link Firmware Release Notes for the corrected firmware version and installation instructions specific to the Tapo C520WS v2 hardware revision.
Workarounds
- Place cameras on an isolated network segment with access control lists restricting ONVIF ports to known management hosts
- Block inbound ONVIF SOAP traffic from untrusted adjacent hosts at the network switch or firewall layer
- Reduce the number of authenticated accounts on each camera to limit the exploitation surface for an authenticated attacker
# Example ACL restricting ONVIF (TCP/2020 default) to a management host
# Replace addresses with your environment values
iptables -A FORWARD -p tcp --dport 2020 -s 10.10.50.10 -d 10.20.30.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2020 -d 10.20.30.0/24 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
