What is CVE-2026-0629?

It is an authentication bypass vulnerability in the password recovery feature of TP-Link VIGI cameras that allows local attackers to reset administrative passwords without verification.

How is the TP-Link VIGI vulnerability exploited?

Attackers on the same local area network (LAN) can manipulate the client-side state during the password recovery process to gain unauthorized administrative access.

What is the impact of a successful attack on VIGI cameras?

Attackers gain full administrative control, allowing them to modify configurations, disable security logs, and potentially move laterally through the corporate network.

Which TP-Link models are affected by CVE-2026-0629?

The flaw affects 28 models, including the VIGI Cx series, InSight Sx series, and various standalone models like the C340S and C250.

How can I secure my TP-Link VIGI cameras?

You should immediately update to the latest firmware version provided by TP-Link, segment the camera network, and disable the password recovery feature where possible.

Advisory

TP-Link Patches Authentication Bypass Flaw in VIGI Cameras

published: Jan. 20, 2026

Take action: Make sure all CCTV devices are isolated from the internet and accessible from trusted networks only. Segment your surveillance cameras into a dedicated VLAN and if possible disable the password recovery feature on the local web interface. Then plan a patch cycle.

Learn More

TP-Link released a security advisory for a flaw in its VIGI camera series that lets attackers on a local network bypass authentication. It targets the password recovery tool in the camera's local web interface.

The flaw is tracked as CVE-2026-0629 (CVSS score 8.7) and is caused by a improper validation of client-side state during the password recovery process. Attackers only need access to the same local area network (LAN) as the camera to fool the password recovery mechanism.

Successful exploitation gives an attacker full administrative control. They can change camera settings, stop logs, or alter network configurations.

Affected devices include:

VIGI Cx series (C345, C445, C355, C455, C385, C485)
VIGI InSight Sx series (S245, S345, S445, S285, S385)
VIGI C340S, C540S, C540V, and C250 models
VIGI Cx20I, Cx30I, and Cx40I series

TP-Link urges users to install the latest firmware immediately. Updates are available on the official TP-Link support portal. If you cannot patch right away, isolate the cameras to a private network segment and restrict access to trusted staff only.

TP-Link Patches Authentication Bypass Flaw in VIGI Cameras

Read More
Unitronics fixes multiple critical issues in Unistream and …
Critical authentication flaw reported in Lantronix Xport
Critical authentication flaw reported in Siemens Industrial Edge …
Rockwell Automation FactoryTalk reports critical vulnerability
Multiple exploited critical vulnerabilities reported in PTZOptics and …