CVE-2025-14553

Password Hash Leak Could Lead to Unauthorized Access on Tapo App via Local Network

CVSS 7 HIGHEPSS 0.2%CWE-200

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 dic 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Productos afectados

TP-Link Systems Inc. · TP-Link Tapo App

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://apps.apple.com/us/app/tp-link-tapo/id1472718009 https://play.google.com/store/apps/details?id=com.tplink.iot https://www.tp-link.com/us/support/faq/4840/