A essential authentication vulnerability affecting TP-Hyperlink’s VIGI surveillance digital camera lineup has been disclosed, enabling attackers on native networks to reset administrative credentials with out authorization.
Tracked as CVE-2026-0629, the flaw resides within the digital camera’s internet interface password restoration perform and carries a CVSS v4.0 rating of 8.7, indicating excessive severity.
The authentication bypass flaw stems from improper client-side state manipulation within the password restoration characteristic.
Attackers on the native space community (LAN) can exploit this weak point to reset the admin password with none verification, granting full administrative entry to the affected machine.
CVE IDVendorProductVulnerability TypeCVSS v4.0Attack VectorCVE-2026-0629TP-LinkVIGI Cameras (A number of Collection)Authentication Bypass by way of Password Recovery8.7Adjacent Community (LAN)
The vulnerability requires no elevated privileges, consumer interplay, or network-level assaults, making it simply exploitable for any consumer with LAN connectivity.
In keeping with the advisory documentation, the CVSS v4.0 scoring vector (4.0/AV: A/AC: L/AT: N/PR: N/UI: N/VC:H/VI:H/VA:H/SC: N/SI: N/SA: N).
Attackers can obtain high-impact compromises of confidentiality, integrity, and availability by adjoining community entry with low assault complexity.
Profitable exploitation permits attackers to realize full management of affected VIGI cameras, enabling configuration modifications and disabling security measures.
Accessing recorded footage or utilizing compromised gadgets as pivot factors for lateral community motion. Organizations with VIGI cameras in essential surveillance infrastructure face substantial operational and safety dangers.
The vulnerability impacts an in depth product portfolio spanning 28 distinct VIGI digital camera collection, together with the favored Cx45, Cx55, Cx85, and InSight collection variants.
The widespread affect necessitates rapid patching throughout all organizational deployments.
Affected Merchandise and Mitigations
Product SeriesModelsFixed VersionVIGI Cx45C345, C445≥ 3.1.0 Construct 250820 Rel.57668nVIGI Cx55C355, C455≥ 3.1.0 Construct 250820 Rel.58873nVIGI Cx85C385, C485≥ 3.0.2 Construct 250630 Rel.71279nVIGI C340SC340S≥ 3.1.0 Construct 250625 Rel.65381nVIGI C540SC540S, EasyCam C540S≥ 3.1.0 Construct 250625 Rel.66601nVIGI InSight Sx45S245, S345, S445≥ 3.1.0 Construct 250820 Rel.57668nVIGI InSight Sx55S355, S455≥ 3.1.0 Construct 250820 Rel.58873n
Full patch data for all affected product variants is accessible by TP-Hyperlink’s official assist channels.
TP-Hyperlink has launched firmware updates addressing the vulnerability throughout all affected machine fashions. Organizations should obtain and deploy the most recent firmware variations instantly by the Obtain Heart.
The advisory emphasizes that gadgets stay susceptible till patched, and TP-Hyperlink assumes no legal responsibility for incidents ensuing from failure to implement really helpful safety updates.
Customers can entry patches by region-specific obtain facilities:
RegionDownload PortalUnited Statesvigi.com/us/assist/obtain/World (English)vigi.com/en/assist/obtain/Indiavigi.com/in/assist/obtain/
CVE-2026-0629 represents a major safety danger for organizations deploying TP-Hyperlink VIGI surveillance infrastructure. The benefit of exploitation, mixed with the in depth affected product vary, makes rapid firmware updates.
A essential precedence for sustaining community safety posture and stopping unauthorized administrative entry to surveillance programs.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
