TP-Link Router Flaw Enables Authentication Bypass Through Password Recovery Mechanism

[Brownie2019]

Content source

https://gbhackers.com/tp-link-router-flaw-enables-authentication-bypass/

TP-Link has disclosed a high-severity authentication bypass vulnerability affecting its VIGI security camera lineup, allowing attackers on local networks to reset administrator passwords without verification.

The flaw lies in the password recovery feature of the local web interface, which is exploited via client-side state manipulation.

The vulnerability (CVE-2026-0629) enables threat actors positioned on the same local area network (LAN) to gain full administrative access to VIGI cameras by circumventing the password recovery authentication mechanism.

By manipulating client-side state variables during recovery, attackers bypass verification checks intended to prevent unauthorized password resets.

This attack vector is particularly concerning because it requires no prior authentication, no special privileges, and occurs entirely through local web interface interactions.

Full Story on:

TP-Link Router Flaw Enables Authentication Bypass Through Password Recovery Mechanism

TP-Link has disclosed a high-severity authentication bypass vulnerability affecting its VIGI security camera lineup.

gbhackers.com

 

[Bot]

Full Story on:

TP-Link Router Flaw Enables Authentication Bypass Through Password Recovery Mechanism

TP-Link has disclosed a high-severity authentication bypass vulnerability affecting its VIGI security camera lineup.

gbhackers.com

This one is legitimate: TP-Link published an official advisory for CVE-2026-0629 on January 16, 2026, describing an authentication bypass in the VIGI cameras’ local web UI password recovery flow that can let an attacker on the same LAN reset the admin password by manipulating client-side state. ([tp-link.com](https://www.tp-link.com/us/support/faq/4899/))

Also worth noting: the GBHackers URL/title says “router flaw,” but CVE-2026-0629 (per TP-Link and NVD) is about VIGI cameras (local web interface password recovery), not TP-Link routers. ([tp-link.com](https://www.tp-link.com/us/support/faq/4899/))

What the risk actually means (practically) ([tp-link.com](https://www.tp-link.com/us/support/faq/4899/))

• Attack requirement: attacker must already have access to your local network (same LAN / reachable segment).
• No prior login needed: the bypass happens through the password recovery workflow.
• Impact: full admin control of the camera once the password is reset (settings, streams, accounts, etc.).

Fix / remediation (do this first) ([tp-link.com](https://www.tp-link.com/us/support/faq/4899/))

• Update camera firmware to a fixed build listed in TP-Link’s advisory (it lists many VIGI models/series and the minimum fixed versions).
• After updating, change the admin password (and any other camera/VMS/NVR credentials that might be shared/reused).

Hardening / mitigation (recommended even after patching)

• Segment cameras: put cameras on their own VLAN/subnet and restrict which hosts can reach the camera web UI (only NVR/VMS/admin workstation).
• Block untrusted lateral access: do not allow guest Wi-Fi / IoT devices to reach the camera management interface.
• Avoid exposing management interfaces: don’t port-forward camera web UI to the Internet; use a VPN for remote admin if needed.
• If compromise is suspected: consider factory reset + re-provisioning after upgrading firmware, then review key settings (users/accounts, ONVIF/RTSP exposure, DNS/NTP, outbound connectivity, recording destinations).

Bottom line
Treat this as a high-severity LAN attack and prioritize firmware updates and network segmentation; that’s what removes the root cause and reduces the chance that any “on-LAN” attacker can take over the cameras. ([tp-link.com](https://www.tp-link.com/us/support/faq/4899/))

Sources

• Security Advisory on Authentication Bypass in Password Recovery Feature via Local Web App on VIGI Cameras (CVE-2026-0629) | TP-Link
• NVD - CVE-2026-0629

 

[Divergent]

Technical Analysis

Vulnerability Indicator
CVE-2026-0629

Severity
CVSS v4.0 Score: 8.7 (High)

Attack Vector
Local Network (LAN) / Web Interface

Vulnerability Type
CWE-287 (Improper Authentication) / CWE-602 (Client-Side Enforcement of Server-Side Security)

Affected Product Series
The vulnerability impacts at least 30 hardware variants across the VIGI lineup, including:

Bullet Cameras
VIGI Cx45, Cx55, Cx85, C340S, C540S

Turret/Dome Cameras
VIGI C540V, C250, Cx50, Cx30, Cx40

Specialty
VIGI InSight series, C540-4G (Cellular), and Cx40-W (Wireless)

Recommendation & Remediation

Priority 1
Firmware Patching (Critical) TP-Link has released firmware updates to address this flaw. You must update all VIGI devices to the "Fixed Version" or later immediately.

VIGI Cx45 / Cx55 / C340S
Update to version ≥ 3.1.0

VIGI Cx85
Update to version ≥ 3.0.2

VIGI Cx50 / Cx20I / Cx30I
Update to version ≥ 2.1.0

Action
Download the latest firmware from the official TP-Link support center for your region (e.g., support.vigi.com/us).

Priority 2
Network Segmentation (Defense in Depth) This vulnerability exploits local LAN access. To mitigate risk if patching is delayed or to protect against future LAN-based flaws, strictly adhere to NIST SP 800-171 (3.13.1) regarding network separation:

Isolate IoT/Cameras
Place all VIGI cameras on a dedicated VLAN (Virtual Local Area Network).

Restrict Inter-VLAN Routing
Configure firewall rules to block all traffic from the General User/Wi-Fi VLANs into the Camera VLAN. Only specific management IP addresses (e.g., the NVR or a dedicated admin workstation) should be allowed to communicate with the cameras on ports 80/443.

Disable Universal Plug and Play (UPnP)
Ensure UPnP is disabled on the network edge to prevent accidental exposure of the camera's web interface to the internet.

Priority 3
Post-Compromise Review If your cameras have been running vulnerable firmware on a shared network.

Check the system logs for unauthorized password reset events or administrative logins from unknown internal IP addresses.

Force a password rotation for the camera administrator accounts after applying the firmware update.

Sources

TP-Link: Security Advisory on Authentication Bypass in Password Recovery Feature via Local Web App on VIGI Cameras (CVE-2026-0629)

NVD: CVE-2026-0629

 

[stonjean633]

TP link are slow in releasing firmware updates.
One of the advantages of Asus is continous-regular updates