EXECUTIVE SUMMARY:
CVE-2026-34126 with a CVSS score of 7.3 is a critical initialization‑time information‑leak vulnerability affecting TP‑Link Tapo smart devices, specifically the L535E light bulb (versions 1.0 and 3.0), the P300 smart power strip (version 1.0), and the D100C camera chime (version 1.0). The flaw stems from the firmware’s failure to encrypt Bluetooth traffic during the first‑time pairing with the companion mobile app, causing cleartext transmission of Wi‑Fi credentials and device configuration data. An attacker within Bluetooth range can capture these packets using inexpensive sniffers or perform a man‑in‑the‑middle attack, requiring only proximity and no prior authentication. By replaying or modifying the intercepted data, the adversary can inject malicious network settings, gain unauthorized control of the device, and potentially pivot to other network assets. The business impact includes compromised home automation security, exposure of corporate Wi‑Fi passwords if used in a remote office, and loss of privacy or operational disruption of critical IoT infrastructure. Exploitation requires the device to be in its unpatched, default setup state and the attacker to be within roughly 10 meters of the target during the initial configuration phase.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-34126 with a CVSS score of 7.3 is a critical initialization‑time information‑leak vulnerability affecting TP‑Link Tapo smart devices, specifically the L535E light bulb (versions 1.0 and 3.0), the P300 smart power strip (version 1.0), and the D100C camera chime (version 1.0). The flaw stems from the firmware’s failure to encrypt Bluetooth traffic during the first‑time pairing with the companion mobile app, causing cleartext transmission of Wi‑Fi credentials and device configuration data. An attacker within Bluetooth range can capture these packets using inexpensive sniffers or perform a man‑in‑the‑middle attack, requiring only proximity and no prior authentication. By replaying or modifying the intercepted data, the adversary can inject malicious network settings, gain unauthorized control of the device, and potentially pivot to other network assets. The business impact includes compromised home automation security, exposure of corporate Wi‑Fi passwords if used in a remote office, and loss of privacy or operational disruption of critical IoT infrastructure. Exploitation requires the device to be in its unpatched, default setup state and the attacker to be within roughly 10 meters of the target during the initial configuration phase.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/tapo-smart-device-vulnerability-fix/