CVE-2025-14553 HIGH

CVE-2025-14553: Password Hash Leak Could Lead to Unauthorized Access on Tapo App via Local Network

Vendor Tp-Link Systems Inc.

Product TP-Link Tapo App

Weakness CWE-200 · Info exposure

Published December 16, 2025

Last update January 9, 2026

View on NVD All CVEs

CVSS base score

7.0/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Exposure of password hashes through an unauthenticated API response in TP-Link Tapo app on iOS and Android for Tapo cameras, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged.

Key dates

02Disclosure timeline

December 16, 2025 CVE published

January 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-14553 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2025-14553

CWE CWE-200

CVSS 7.0 / HIGH

Affected versions

Vendor Tp-Link Systems Inc.

Product TP-Link Tapo App

Affected < 3.1.6

Vendor Tp-Link Systems Inc.

Product TP-Link Tapo App

Affected < 3.1.601

CVE-2025-14553: Password Hash Leak Could Lead to Unauthorized Access on Tapo App via Local Network

01Description

02Disclosure timeline

03References

04Related CVE