Professional video surveillance cameras from TP-Link, specifically the VIGI C and VIGI InSight series, have received a critical security update addressing a serious flaw tracked as CVE-2026-0629. The vulnerability, rated 8.7 out of 10 on the CVSS scale, allowed attackers to gain full control over affected devices via the local web administration interface, posing a significant risk to corporate CCTV and physical security infrastructures.
CVE-2026-0629 in TP-Link VIGI: Authentication Bypass via Password Reset
The vulnerability was identified by Arko Dhar, co‑founder and CTO of IoT security company Redinent Innovations. The flaw resided in the password recovery mechanism of the cameras’ local web interface. According to TP-Link, a logic error made it possible to bypass authentication and trigger an administrator password reset without any meaningful verification on the device side.
In practice, an attacker on the same network only needed to send a specially crafted HTTP request and manipulate client-side state to trick the interface into resetting the admin account. Once the password was reset, the attacker obtained full administrative access to the IP camera, including live video streams, recorded archives, network parameters and integrations with other security systems.
Why Password Reset Flaws Are So Dangerous for IP Cameras
The root cause of CVE-2026-0629 reflects a classic web security mistake: critical checks performed only on the client side (in the browser) instead of on the server or device. If the firmware does not robustly validate requests—who is making them, from where, and with what privileges—an attacker can directly call internal API endpoints and bypass any JavaScript-based or UI-driven restrictions.
This pattern is common in the IoT device segment. Vendors often prioritize usability and rapid feature delivery, while access control and strong authentication are implemented in a simplified way. For network-connected cameras, this creates an ideal attack surface: compromising a single weak device can expose sensitive video data and open a pivot point deeper into the network.
From Local Network to Internet-Wide Exploitation
Although CVE-2026-0629 can be exploited from the local network, the risk grows substantially when TP-Link VIGI cameras are exposed directly to the internet. During research in October 2025, Dhar scanned the internet and identified more than 2,500 reachable cameras potentially vulnerable to this flaw—focusing on only one specific model. The real number of exposed and affected devices worldwide is likely much higher.
VIGI cameras are widely deployed in the business segment across more than 36 countries, including markets in Europe, Southeast Asia, North America and South America. For organizations, this means that successful exploitation would not only grant attackers access to video feeds, but could also allow them to use the camera as an entry point into the internal network, escalate privileges and move laterally—tactics commonly seen in modern ransomware and espionage campaigns.
IoT Security Context: TP-Link and Known Exploited Vulnerabilities
According to the Known Exploited Vulnerabilities (KEV) catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), several TP-Link products have previously been involved in real-world attacks, primarily home and small-office routers and Wi‑Fi extenders. These devices have been abused by threat actors for activities ranging from darknet proxying to DDoS botnets, echoing earlier large-scale IoT incidents such as the Mirai botnet.
The emergence of a high-impact vulnerability in professional IP cameras underscores that IoT security is a systemic issue, not limited to consumer routers. Video surveillance cameras, building controllers and other connected devices are increasingly integrated into corporate networks and are attractive for attackers looking for poorly defended footholds.
Security Recommendations for TP-Link VIGI and Other IP Camera Deployments
Organizations using TP-Link VIGI C and VIGI InSight cameras should take the following steps without delay to mitigate CVE-2026-0629 and strengthen overall video surveillance security:
1. Apply the latest firmware updates. Install the vendor’s patched firmware that addresses CVE-2026-0629 on all affected cameras. For IoT and IP cameras, a formal patch management process is critical—unpatched edge devices are a common starting point in real incidents.
2. Eliminate direct internet exposure. Do not publish camera web interfaces directly to the internet. Instead, use VPN access, secure corporate remote-access portals or dedicated gateways, and enforce strict firewall rules. Where remote viewing is needed, prefer secure relay services or reverse proxies with strong authentication.
3. Implement robust network segmentation. Place CCTV and other IoT devices in separate network segments (for example, isolated VLANs) with restricted access to critical business systems. Even if a camera is compromised, segmentation limits an attacker’s ability to reach file servers, domain controllers and business applications.
4. Replace default and weak credentials. Enforce unique, strong passwords for all administrative accounts on TP-Link cameras and NVRs, and use password managers to maintain them. Where available, enable multi-factor authentication (MFA) for management interfaces.
5. Conduct regular security assessments. Periodically scan both external and internal infrastructure for exposed web interfaces, outdated firmware and known vulnerabilities. Align vulnerability management activities with authoritative sources such as the CISA KEV catalog and vendor advisories, and integrate IoT assets into existing security monitoring (SIEM, IDS/IPS).
The CVE-2026-0629 incident demonstrates that modern video surveillance systems are full-fledged network endpoints, not just “cameras on the wall.” Treating IP cameras and other IoT devices with the same security rigor as servers and workstations—timely patching, restricted exposure, segmentation and continuous monitoring—significantly reduces the risk of data leakage, sabotage and covert surveillance of business processes. Organizations that embed IoT security into their overall cybersecurity strategy will be better positioned to withstand the next wave of attacks targeting connected devices.
