Critical Flaw in TP-Link VIGI Cameras Lets Local Network Attackers Reset Admin Passwords Without Authentication

CyberDefender 7 mins0

CVE-2026-0629 is a high-severity authentication bypass vulnerability affecting multiple VIGI and VIGI InSight IP camera models. The flaw exists in the password recovery mechanism of the local web management interface.

Due to improper server-side validation, an attacker connected to the same local network can reset the administrator password without prior authentication by manipulating client-side parameters used during the password recovery workflow.

Once exploited, the attacker gains full administrative control of the device.

Severity

  • CVSS v4.0 Score: 8.7 (High)
  • Attack Vector: Adjacent (LAN)
  • Privileges Required: None
  • User Interaction: None
  • Impact: High confidentiality, integrity, and availability impact

CVSS Vector:

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Technical Description

The vulnerable behavior occurs during the password recovery / reset process exposed by the camera’s local web interface.

Root Cause

  • The password recovery flow relies on client-side state variables (such as flags, steps, or tokens) to determine whether a password reset is authorized.
  • These values are not cryptographically bound to a verified authentication state.
  • The server fails to re-validate the legitimacy of the password recovery request.

As a result, an attacker can:

  1. Access the password recovery endpoint directly.
  2. Modify or replay client-side parameters.
  3. Trigger an admin password reset without verification.

This is a classic server-trusting-client-state vulnerability.

Impact

Successful exploitation allows an attacker to:

  • Reset the admin password
  • Log in with full administrative privileges
  • Change device configuration and network settings
  • Disable alerts, logging, or security controls
  • Access live and recorded video streams
  • Use the camera as a persistence point or pivot inside the LAN

In enterprise or multi-tenant environments, this can lead to surveillance compromise, lateral movement, and regulatory exposure.

Exploitation Notes (Educational Use Only)

  • Exploitation requires only network access to the camera (wired or wireless).
  • No credentials or user interaction are needed.
  • The attack is typically performed by:
    • Intercepting the password recovery workflow using a web proxy
    • Modifying recovery state parameters
    • Submitting a crafted request directly to the recovery endpoint

No public exploit framework is required. The vulnerability is low complexity and highly reliable once network access is obtained.

⚠️ This information is provided strictly for defensive and educational purposes.

Detection & Monitoring

Network-Level Indicators

Monitor HTTP/HTTPS traffic destined for camera management interfaces for:

  • Direct access to password recovery or reset endpoints
  • Repeated recovery attempts without a preceding login
  • Password reset requests originating from non-administrative subnets

Example Detection Logic (Conceptual)

IF request.uri CONTAINS "/password_recovery" OR "/reset_password"
AND no valid session cookie is present
THEN alert

Log-Based Detection

If device logs are available:

  • Look for admin password changes without:
    • Successful login events
    • Physical reset actions
  • Detect configuration changes shortly after a password reset event

IDS / IPS Rule (Generic Example)

alert tcp $LOCAL_NET any -> $CAMERA_NET 80,443 (
    msg:"Possible VIGI camera auth bypass attempt";
    flow:to_server,established;
    content:"password";
    content:"recovery";
    nocase;
    threshold:type threshold, track by_src, count 3, seconds 60;)

(Rule should be tuned to your environment and traffic patterns.)

Behavioral Indicators

  • Sudden loss of access to camera admin accounts
  • Unexpected reboots or configuration changes
  • Disabled motion detection, alerts, or logging
  • Cameras initiating outbound connections unexpectedly

Affected Products

The vulnerability affects a large number of VIGI and VIGI InSight camera models across multiple hardware generations.
Only firmware updates fully remediate the issue.

A partial list includes:

  • VIGI Cx45 / Cx55 / Cx85 series
  • VIGI C340S, C540S, C540V
  • VIGI C250, C350, C450
  • VIGI C-I and C-W variants
  • VIGI InSight Sx25, Sx45, Sx55, Sx85 and derivatives
  • 4G and wireless models

(Exact fixed versions vary by model and hardware revision.)

Remediation

Required Action

Update firmware immediately to the fixed version corresponding to your exact model and hardware revision.

There are no effective configuration-only mitigations for this vulnerability.

Official Firmware Download Links

Use the vendor’s official download centers only:

Temporary Risk Reduction (Not a Fix)

Until updates are applied:

  • Restrict access to camera web interfaces via firewall rules
  • Place cameras in isolated VLANs
  • Block camera management interfaces from user networks
  • Monitor for unauthorized password changes
  • Disable unused services and remote access features

CVE-2026-0629 is particularly dangerous because it targets infrastructure devices that are often implicitly trusted and poorly monitored. Cameras should be treated as high-risk network assets, not passive IoT devices.

CyberDefender