39/69 Wednesday, January 21, 2026
TP-Link has released a security update to address a high-severity vulnerability, tracked as CVE-2026-0629, affecting more than 32 models of VIGI C and VIGI InSight surveillance cameras. The flaw is an authentication bypass vulnerability related to the password recovery function in the device’s web-based management interface, which is widely used by businesses across Europe and Southeast Asia.
The vulnerability allows an attacker to reset the administrator password without authentication by manipulating client-side state during the password recovery process. According to the vendor, exploitation requires the attacker to be on the local network (LAN). However, the researcher who discovered the issue warned that if the affected devices are exposed to the internet, attackers could exploit the flaw to gain full administrative control and remotely access live camera feeds.
Researchers reported that as of October 2025, more than 2,500 vulnerable devices were accessible from the internet worldwide, and the actual number may be higher since only a subset of affected models was scanned. While attacks on TP-Link products have historically focused on routers, vulnerabilities in surveillance camera systems pose a serious risk to organizational security and privacy. Administrators are therefore strongly advised to identify affected models and update firmware immediately to the latest available version.
Source https://dg.th/hwybdz79l1
