On February 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory for a high-severity authentication bypass affecting dozens of TP-Link VIGI IP camera models. The flaw, listed as CVE-2026-0629, allows an attacker on the same local network to reset the administrator password without any valid credentials or user interaction. Once in, they can take full control of the camera, spy on live feeds, tamper with recordings, and use the device as a foothold into broader networks.
TP-Link has released firmware updates for all impacted models, and CISA strongly urges immediate patching. The advisory marks the first public disclosure of the vulnerability, though researchers had been tracking it for some time. No known active exploitation has been reported to CISA yet, but the ease of exploitation and the millions of VIGI cameras deployed worldwide make a swift response critical.
What Changed: A Password Recovery Flaw Opens the Door
The core issue lies in the camera’s local web-based management interface. When an administrator initiates a password recovery, the device validates the request using client-side state—such as cookies or local storage tokens—that can be manipulated by an attacker. By tampering with this state, an unauthenticated user on the adjacent network can trick the camera into resetting the admin password, then log in with full privileges.
TP-Link describes it as an “authentication bypass via client-side state manipulation” and maps it to CWE-287 (Improper Authentication). The CVSS v3.1 base score is 8.8 (High), with a vector of AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H—indicating that attacks can be launched from the local network, require low complexity, no privileges, and no user interaction, and completely compromise confidentiality, integrity, and availability. The v4.0 score is 8.7.
The vulnerability affects a sprawling list of VIGI models, from the Cx20 series to the latest InSight line. CISA’s advisory catalogues over 30 product families and sub-variants, each tied to specific firmware build numbers. Below is a condensed table of representative affected series, along with the fixed firmware versions. For precise matching, check your camera’s exact build string in its web interface or management software.
| Model Family | Example Models | Affected Versions (≤) | Fixed Version |
|---|---|---|---|
| VIGI Cx45 | C345, C445 | 3.1.0_Build_250820_Rel.57668n | ≥ same build but with patch (check vendor) |
| VIGI Cx55 | C355, C455 | 3.1.0_Build_250820_Rel.58873n | ≥ same build patched |
| VIGI Cx85 | C385, C485 | 3.0.2_Build_250630_Rel.71279n | ≥ same build patched |
| VIGI C540S | C540S, EasyCam C540S | 3.1.0_Build_250625_Rel.66601n | ≥ same build patched |
| VIGI C250 | C250 | 2.1.0_Build_250702_Rel.54301n | ≥ patched build |
| VIGI InSight Sx45 | S245, S345, S445 | 3.1.0_Build_250820_Rel.57668n | ≥ patched build |
| VIGI InSight Sx55 | S355, S455 | 3.1.0_Build_250820_Rel.58873n | ≥ patched build |
Note that many models have sub-revisions (1.0, 1.20, 2.0) with distinct firmware branches. The full list from CISA includes 32 separate entries; owners should consult the TP-Link advisory or the CISA ICS advisory for their exact device.
What It Means for You
The impact varies by deployment scenario, but the common thread is loss of trust. An attacker who resets the admin password gains unrestricted access to all camera functions. Here’s how different users are affected:
Home and Small Business Users
If your VIGI camera is connected to a home router without VLANs or firewall restrictions, any device on your Wi-Fi or LAN can exploit this bug. An infected IoT gadget, a guest’s laptop, or a neighbor who cracks your Wi-Fi could theoretically take over the camera. The breach could expose live footage of your home, store, or office. If the camera records to an SD card or NVR, stored video may also be accessed or deleted.
IT Administrators and Managed Service Providers
For enterprises and integrators, the risk is magnified. Cameras often sit on flat networks or lightly segmented VLANs. A compromised camera can serve as a pivot into NVRs, video management servers, or even corporate Active Directory if credentials are reused. Attackers could also modify recording schedules to hide intrusions, disable motion alerts, or stream video to external servers.
If you manage a fleet of VIGI cameras, you need to inventory them immediately, isolate vulnerable units, and push firmware updates. Because the attack requires only LAN access, even cameras behind a NAT are vulnerable if an attacker gains a foothold elsewhere on the network (e.g., via a phishing email with a reverse shell).
Integrators and Custom Installers
If you’ve deployed VIGI cameras at client sites, you carry the burden of notification and remediation. You must check every installation, verify firmware versions, and schedule maintenance windows. In many cases, these cameras are in sensitive locations—courtrooms, hospitals, schools—where a privacy breach could lead to legal consequences.
How We Got Here: IoT’s Recurring Nightmare
Camera vulnerabilities are hardly new, but the scale of this disclosure is notable. TP-Link’s VIGI line is a staple in commercial surveillance, sold through major distributors and installed by thousands of integrators. The flaw is textbook: a password recovery flow that relies on client-provided state for authentication. This design pattern has plagued IoT devices for years, yet it persists.
One reason is the rush to add user-friendly features without robust security review. Password recovery mechanisms often avoid asking for existing credentials to reduce support calls. But if that flow doesn’t properly verify the requestor’s identity, it becomes an open door.
Independent researchers had noted an uptick in exposed VIGI cameras in late 2025 and early 2026. Internet-wide scans by several organizations revealed thousands of cameras with their management interfaces reachable from the public internet—either through misconfigured port forwarding or UPnP. These public-facing devices would be trivial targets for automated attacks. Even without remote access, the adjacency requirement is a low bar in shared office spaces, co-working setups, or dormitories.
TP-Link’s advisory, released alongside the CISA notice, provides the remediation roadmap. But the existence of dozens of sub-variants and build strings means the patching effort is not a one-click affair. A simple version check can mislead: a camera reporting “2.1.0” might be vulnerable if the build number is below the fixed threshold, or it might be safe if patched. This granularity has historically tripped up automated scanners and overworked IT teams.
What to Do Now: A 5-Step Triage and Patch Plan
1. Find Every VIGI Camera on Your Network
Use your network scanner of choice (nmap, Advanced IP Scanner, or an RMM tool) to discover all IP cameras. Export the list with MAC addresses, IPs, and firmware versions. If you have a VIGI NVR or the VIGI Security Manager, query it for a complete device list and firmware details.
2. Block Internet Exposure Immediately
Check your firewall rules for any port forwarding that exposes TCP/80, TCP/443, or the camera’s management port (often 80/443) to the internet. Disable UPnP if enabled on the router. If remote access is required, set up a VPN with multi-factor authentication, or use a privileged access workstation that connects through a secured tunnel. Camera management interfaces should never be directly reachable from the WAN.
3. Isolate Vulnerable Cameras While You Patch
Move all affected cameras to a dedicated management VLAN with strict ACLs. Allow only your management servers (and your patching workstation) to initiate connections to that VLAN. Block all outbound connections from the camera VLAN to the rest of your network unless explicitly needed (e.g., NTP, video streaming to NVR). This limits the blast radius if exploitation occurs before patching.
4. Apply Firmware Updates—the Right Way
- Download the correct firmware from the TP-Link US Download Center (or the relevant regional site). Verify the file’s checksum if provided.
- Stage updates in a small test group. After updating one camera, verify that video streams, motion detection, and NVR connectivity still work.
- Document the exact firmware build number before and after. The web UI or VIGI app will show a string like “3.1.0 Build 250820 Rel.57668n.” After patching, the build number may stay the same but the file date or a “patched” flag will differ; check TP-Link’s notes for your model.
- If mass deployment is needed, use the VIGI Security Manager for batch updates. Expect a brief reboot—schedule maintenance windows for critical cameras.
- After updating, force a password change for the admin account and any non-default users. Rotate any shared credentials.
5. Hunt for Signs of Compromise
- Review camera logs for unauthorized password changes, new user accounts, or unusual login times.
- Check your NVR for unusual camera registrations or disconnected cameras that were later re-added.
- Set up SIEM alerts for failed recovery flow attempts (e.g., repeated POSTs to
/cgi-bin/...endpoints) and admin password resets from unknown IPs. - If you find evidence of tampering, consider the camera fully compromised. Re-flash firmware, reset to factory defaults, and reconfigure from scratch. Do not restore a backup that may harbor backdoored settings.
The Bigger Picture
CVE-2026-0629 is a reminder that physical security devices are now critical nodes on the digital network. Cameras must be treated like servers: regularly patched, segmented, and monitored. The failure of a password recovery mechanism to authenticate the requestor is a basic design error, yet it affects a broad product line from a major vendor.
Looking ahead, organizations should require from their vendors:
- A public, machine-readable security advisory feed with precise affected version ranges.
- Signed firmware updates with cryptographic verification.
- Support for automated onboarding that enforces strong, unique credentials from day one.
For now, the patch is available, and the attack surface is clearly defined. The window between disclosure and active exploitation is closing fast. Patch your cameras, lock down your networks, and verify that the fix is in place. Your privacy—and your clients’—depends on it.