CVE-2026-0652
published 2026-02-10CVE-2026-0652: On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
22.76%
97.4th percentile
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tapo_c260_firmware | < 1.1.9 | 1.1.9 |
| tp-link_systems_inc | tapo_c260_v1 | < 1.1.9 Build 251226 Rel.55870n | 1.1.9 Build 251226 Rel.55870n |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/v1/things/"; startswith; content:"/services-sync"; endswith; http.request_body; content:"|22|requests|22|"; content:"|22|method|22|"; content:"|22|setLedStatus|22|"; content:"|22|params|22|"; content:"|22|tp_manage|22|"; fast_pattern; content:"|22|dev_name|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,spaceraccoon.dev/getting-shell-tapo-c260-webcam/; reference:cve,2026-0652; classtype:attempted-admin; sid:2068295; rev:1;)
- →Target POST requests to URI matching /v1/things/*/services-sync (URI length prefix exactly 11 bytes for '/v1/things/'). Inspect request body for JSON keys: 'requests', 'method', 'setLedStatus', 'params', 'tp_manage', and 'dev_name'.
- →The 'dev_name' parameter value is the injection point. Flag payloads containing shell metacharacters: semicolon (;/%3B), newline (\x0a/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — encoded or literal.
- →Exploitation requires authentication; monitor for authenticated sessions issuing POST requests to the services-sync endpoint, which is associated with configuration synchronization on TP-Link Tapo C260 v1.
- →Reference blog post for PoC and additional exploitation details: spaceraccoon.dev/getting-shell-tapo-c260-webcam/
- ·The Snort/Suricata rule (sid:2068295) uses 'bsize:11' to match the exact byte length of '/v1/things/' in the URI — ensure your IDS/IPS engine supports the 'bsize' keyword (Suricata 4.x+ required); older Snort versions may not support this modifier.
- ·The rule metadata specifies 'tls_state plaintext', meaning it will NOT fire on TLS-encrypted traffic. If the device is accessed over HTTPS, additional SSL inspection infrastructure is required.
- ·Exploitation requires prior authentication ('An authenticated attacker'), so detection of this injection alone does not indicate initial compromise — correlate with authentication events to assess full attack chain.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652)
suricata·2026-03-17·CVSS 8.7
CVE-2026-0652 [HIGH] ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652)
ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TP-Link services-sync dev_name Parameter Command Injection Attempt (CVE-2026-0652)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/v1/things/"; startswith; content:"/services-sync"; endswith; http.request_body; content:"|22|requests|22|"; content:"|22|method|22|"; content:"|22|setLedStatus|22|"; content:"|22|params|22|"; content:"|22|tp_manage|22|"; fast_pattern; content:"|22|dev_name|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,spaceraccoon.dev/getting-shell-tapo-c260-webca
No public exploits indexed.
No writeups or analysis indexed.
2026-02-10
Published