CVE-2026-0629

Name of the Vulnerable Software and Affected Versions TP-Link VIGI Cameras (affected versions not specified)

Description An authentication bypass issue exists in the password recovery feature of the local web interface of TP-Link VIGI cameras. This allows an attacker on the Local Area Network (LAN) to reset the administrator password without verification by manipulating client-side state. Successful exploitation grants the attacker full administrative access to the device, potentially compromising configuration and network security. Over 2,500 internet-exposed cameras have been identified, increasing the risk of real-world takeover for poorly segmented or publicly reachable deployments. Attackers could gain access to live and recorded video feeds, disable security features, alter configurations, and potentially use the compromised devices for lateral movement within a network. The vulnerability affects over 32 VIGI C and InSight camera models.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.