CVE-2025-14300
Unauthenticated Access to connectAP API Endpoint on Tapo C100 and C200
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
28th
The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the deviceβs Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
| CWE | CWE-306 |
| Vendor | tp-link systems inc. |
| Product | tapo c200 v3 |
| Published | Dec 20, 2025 |
| Last Updated | Apr 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for tp-link systems inc. tapo c200 v3
Be the first to know when new unknown vulnerabilities affecting tp-link systems inc. tapo c200 v3 are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
TP-Link Systems Inc. / Tapo C200 V3
0 < V3_1.4.5 Build 251104
TP Link Systems Inc. / Tapo C100 v5
0 < V5_1.4.4 Build 260303
References
tp-link.com: https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes tp-link.com: https://www.tp-link.com/us/support/faq/4849/ tp-link.com: https://www.tp-link.com/en/support/download/tapo-c100/v5/#Firmware-Release-Notes tp-link.com: https://www.tp-link.com/us/support/download/tapo-c100/v5/#Firmware-Release-Notes tp-link.com: https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes
Credits
Simone Margaritelli (evilsocket) Azim Javed of CRAC Learning