SEVERITY: CRITICAL

Redinent Research discovered critical Authentication Bypass Vulnerability in TP Link VIGI IP Camera. This could allow attacker to full control of the camera and perform administrative actions.

Technical Details: An authentication bypass vulnerability has been identified in the TP Link VIGI IP Camera. This vulnerability can be exploited by tampering with the HTTP response on the login page.

Specifically, an attacker can craft a malicious HTTP response that bypasses the authentication mechanism, allowing unauthorised access to the system. Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

Affected Versions
Product Name Affected Versions: VIGI InSight Sx45 Series (S245/S345/S445)

TP Link has released an advisory : https://www.tp-link.com/us/support/faq/4899/

CVE:
https://www.cve.org/cverecord?id=CVE-2026-0629

CVE ID: CVE-2026-0629

Redinent thanks TP Link and CISA for their support and coordination through this CVE review and publishing cycle.