TP-Link Kasa Camera Flaws Expose Credentials and Enable Local MitM Attacks


TP-Link has released security updates for two information-disclosure vulnerabilities affecting Kasa EC70 v4 and EC71 v4 cameras. The more serious flaw can enable passive traffic decryption or active man-in-the-middle attacks against the cameras’ web management communications.

The vulnerabilities are tracked as CVE-2026-9770 and CVE-2026-13230. Both require the attacker to reach the same local network as the vulnerable camera, and neither requires authentication or user interaction.

TP-Link addressed the problems in two firmware releases. Owners should update their EC70 v4 or EC71 v4 camera to firmware 2.4.1 Build 20260621 rel.76536 or a newer version to receive fixes for both vulnerabilities.

The security problems affect hardware version 4 of the Kasa EC70 and EC71 cameras. Other hardware revisions are not listed as affected in the TP-Link camera security advisory.

Hardware versions matter because TP-Link may sell several revisions of a product under the same model name. Firmware intended for one revision may not work on another, so users should verify both the model and hardware version before downloading an update.

The hardware version normally appears on the camera’s product label, packaging, device information screen, or support page. Users should not assume that every EC70 or EC71 camera is affected.

Camera modelAffected hardwareVulnerabilitiesRecommended firmware
Kasa EC70Version 4CVE-2026-9770 and CVE-2026-132302.4.1 Build 20260621 rel.76536 or later
Kasa EC71Version 4CVE-2026-9770 and CVE-2026-132302.4.1 Build 20260621 rel.76536 or later

CVE-2026-9770 Uses a Shared Static Cryptographic Key

CVE-2026-9770 is the more severe issue. TP-Link assigned it a CVSS 4.0 score of 8.6, placing it in the High severity category.

The firmware contains a static cryptographic private key stored in a read-only file system. The same key is shared across affected devices, according to the CVE-2026-9770 security record.

An attacker who obtains the camera firmware can extract the embedded key. If that attacker can also reach a vulnerable camera on the same network, the key may help compromise communications with the device’s web management service.

CVE-2026-9770 detailValue
WeaknessCWE-321, Use of Hard-coded Cryptographic Key
CVSS 4.0 score8.6, High
Attack vectorAdjacent network
Privileges requiredNone
User interactionNone
Potential impactTraffic decryption, MitM attacks, and credential exposure
Fixed version2.4.0 Build 20260520 rel.4191

A man-in-the-middle attacker places a malicious system between two communicating devices. This position may allow the attacker to observe protected traffic, impersonate one side of a connection, or alter information sent between them.

For these TP-Link cameras, the attacker must first gain access to the local network. Possible routes include an insecure guest network, a compromised router, stolen Wi-Fi credentials, or another infected device connected to the same network.

The extracted private key could then support passive decryption or an active MitM attack against web management traffic. TP-Link warns that successful exploitation may expose administrative credentials.

  • A malicious user connects to the same shared Wi-Fi network as the camera.
  • An attacker compromises the home or office router.
  • Malware on another local device gains access to the camera network.
  • A poorly segmented guest network permits access to IoT devices.
  • An attacker with physical proximity obtains access to an inadequately protected wireless network.

The flaw does not provide a direct internet-based attack path by itself. The CVSS vector classifies it as an adjacent-network vulnerability, meaning the attacker needs local network proximity or an existing foothold.

CVE-2026-13230 Exposes Geolocation Information

The second vulnerability affects the cameras’ local discovery mechanism. This service helps applications and other devices find cameras on the local network.

CVE-2026-13230 allows an unauthenticated attacker on the same network to retrieve geolocation-related information through crafted discovery responses. TP-Link assigned the flaw a CVSS 4.0 score of 5.3, rated Medium.

The CVE-2026-13230 record classifies the weakness as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. TP-Link found an impact on confidentiality but no evidence of effects on integrity or availability.

CVE-2026-13230 detailValue
WeaknessCWE-200, Exposure of Sensitive Information
CVSS 4.0 score5.3, Medium
Attack vectorAdjacent network
Authentication requiredNo
Exposed informationGeolocation-related data
Integrity impactNone identified
Availability impactNone identified
Fixed version2.4.1 Build 20260621 rel.76536

Different Firmware Releases Fix the Two Vulnerabilities

Firmware 2.4.0 Build 20260520 rel.4191 fixes the static cryptographic key issue, CVE-2026-9770. Firmware 2.4.1 Build 20260621 rel.76536 fixes the local discovery information leak, CVE-2026-13230.

Because the second update is newer, camera owners should install version 2.4.1 or later. Installing only version 2.4.0 would address the MitM risk but leave the discovery-service vulnerability unresolved.

The affected-version information in the CVE-2026-9770 entry lists EC70 v4 and EC71 v4 firmware older than 2.4.0 as vulnerable to the shared-key flaw.

Firmware releaseSecurity issue fixed
2.4.0 Build 20260520 rel.4191CVE-2026-9770
2.4.1 Build 20260621 rel.76536CVE-2026-13230 and the earlier CVE-2026-9770 fix

How to Update a Kasa EC70 or EC71 Camera

TP-Link recommends installing the latest firmware through its official support resources and updating the Kasa mobile application. Users should avoid firmware files offered through third-party websites.

The TP-Link EC70 and EC71 advisory provides separate download links for each model and region. The company warns that devices without the listed updates or mitigations may remain vulnerable.

Camera owners should keep the device powered and connected throughout the update. Interrupting a firmware installation may cause the camera to stop working correctly.

  1. Confirm that the camera is an EC70 v4 or EC71 v4.
  2. Open the Kasa app and check the installed firmware version.
  3. Update the Kasa app through the official mobile app store.
  4. Install the latest firmware offered for the exact camera model and region.
  5. Wait for the camera to restart and reconnect.
  6. Verify that the installed version is 2.4.1 Build 20260621 rel.76536 or newer.
  7. Confirm that live viewing and management functions work normally.

Network Segmentation Reduces Local Attack Risk

Both vulnerabilities require access to the same network as the camera. Separating smart cameras and other IoT products from computers, phones, workstations, and sensitive servers can therefore limit the available attack paths.

A dedicated IoT Wi-Fi network or VLAN should restrict direct communication between cameras and other local devices. Guest networks should also block clients from reaching private network segments.

Segmentation does not replace the firmware update. A compromised router or another infected device inside the camera network may still reach an unpatched camera.

  • Place cameras on a separate IoT network or VLAN.
  • Use WPA2 or WPA3 encryption with a strong Wi-Fi password.
  • Disable unnecessary local access to camera management services.
  • Keep the router and wireless access points updated.
  • Prevent guest-network clients from reaching IoT devices.
  • Remove unknown or unused devices from the local network.
  • Use unique passwords for TP-Link and wireless accounts.

What to Do if Camera Credentials May Be Exposed

TP-Link has not reported active exploitation of these vulnerabilities. However, users who operated affected cameras on an untrusted or shared network should review their security settings after updating.

If administrative credentials may have crossed a compromised connection, users should change those credentials after installing the patched firmware. Reusing the same password across other services increases the potential impact of credential exposure.

The CVE-2026-13230 affected-version data confirms that firmware older than 2.4.1 Build 20260621 rel.76536 remains vulnerable to the geolocation disclosure issue. Updating to the latest available release provides the clearest protection against both flaws.

FAQ

Which TP-Link cameras are affected by CVE-2026-9770 and CVE-2026-13230?

The vulnerabilities affect hardware version 4 of the TP-Link Kasa EC70 and EC71 cameras.

Can the TP-Link camera vulnerabilities be exploited over the internet?

The published attack vectors require access to the same local or adjacent network as the camera. The flaws do not provide a direct remote internet attack path by themselves.

What can attackers do with CVE-2026-9770?

An attacker with the embedded private key and local network access may decrypt protected management traffic or conduct a man-in-the-middle attack that exposes administrative credentials.

What information does CVE-2026-13230 expose?

The vulnerability can disclose geolocation-related information through the cameras’ local discovery mechanism without requiring authentication.

Which firmware version fixes both TP-Link camera vulnerabilities?

Kasa EC70 v4 and EC71 v4 owners should install firmware 2.4.1 Build 20260621 rel.76536 or a newer release to address both vulnerabilities.

Has TP-Link reported active attacks using these flaws?

TP-Link has not reported active exploitation. Users should still update promptly because an attacker who gains local network access could target unpatched cameras.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages