CVE-2025-10991 HIGH

CVE-2025-10991: Root Access via UART

Vendor Tp-Link Systems Inc.
Product Tapo D230S1 V1.20
Published September 30, 2025
Last update September 30, 2025

CVSS base score

7.0/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907.

Key dates

02Disclosure timeline

September 30, 2025 CVE published
September 30, 2025 Record updated