TP-Link Tapo H200 Firmware Stores Wi-Fi Credentials in Plaintext (CVE-2025-3442)

Critical Vulnerability Information Vulnerability ID: CIVN-2025-0072 CVE Name: CVE-2025-3442 Original Release Date: April 9, 2025 Severity Rating: Medium Affected Systems: - TP-Link Tapo H200 V1 IoT Smart Hub - Firmware version 1.4.0 or earlier Summary: - An information disclosure vulnerability has been reported in the TP-Link Tapo IoT Smart Hub, allowing attackers to retrieve sensitive information from the target device. Target Audience: - End users utilizing the TP-Link Tapo H200 V1 IoT Smart Hub. Risk Assessment: - Medium - Wi-Fi credentials exposure. Impact Assessment: - Potential exposure of Wi-Fi credentials from the TP-Link Tapo IoT Smart Hub. Description: - The TP-Link Tapo H200 V1 IoT Smart Hub is a device designed to manage and connect multiple smart home devices (such as lights, sensors, and appliances) within a single network. - This vulnerability exists in the TP-Link Tapo IoT Smart Hub due to Wi-Fi credentials being stored in plaintext within the device firmware. An attacker with physical access can extract the firmware and analyze binary data to obtain the Wi-Fi credentials stored on the vulnerable device. Solution: - Upgrade the TP-Link Tapo H200 IoT Smart Hub to firmware version 1.5.0. - Download Link Vendor Information: - TP-Link: Official Website References: - TP-Link: Official Website

Goal Reached Thanks to every supporter — we hit 100%!

TP-Link Tapo H200 Firmware Stores Wi-Fi Credentials in Plaintext (CVE-2025-3442)