CVE-2021-4045 is an unauthenticated remote code execution vulnerability affecting TP-Link Tapo C200 IP cameras running firmware 1.1.15 and earlier. The flaw is present in the device's uhttpd component, which runs by default with root privileges. The vulnerability is caused by command injection, allowing a remote attacker to supply crafted input to the web service and trigger execution of arbitrary operating system commands without authentication. Because the vulnerable service executes as root, successful exploitation results in immediate full-device compromise.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
4 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository provides an operational exploit for CVE-2021-4045, targeting the TP-Link Tapo C200 camera. The main exploit logic is implemented in 'tapodate/__main__.py', which constructs and sends malicious payloads to the camera's HTTPS interface. The exploit leverages a command injection vulnerability in the camera's 'setLanguage' method, allowing arbitrary shell commands to be executed. The payload sets the system date, restarts the NTP and Telnet daemons, and overwrites the /etc/hosts file to block cloud connections. The exploit is configurable via environment variables for camera IPs and NTP servers. The repository includes supporting files for packaging, Docker deployment, and testing, but the core exploit resides in the Python module. No fake or detection-only code is present; this is a functional exploit with real impact on vulnerable devices.
This repository contains a Python exploit (pwntapo.py) targeting a command injection vulnerability (CVE-2021-4045) in TP-Link Tapo C200 cameras running firmware versions below 1.1.16 Build 211209 Rel. 37726N. The exploit allows an unauthenticated attacker to execute arbitrary commands on the camera via a crafted HTTP POST request to the camera's web interface (port 443, HTTPS). The main script supports two modes: 'shell' (spawns a reverse shell to the attacker's machine) and 'rtsp' (injects attacker-controlled credentials to enable RTSP video streaming from the camera). The exploit requires the attacker to know the camera's IP address and, for RTSP mode, to supply credentials and a ciphertext. The repository includes a README with detailed usage instructions, the main exploit script, and a requirements.txt for dependencies. The attack vector is network-based, and the main fingerprintable endpoints are the camera's HTTPS interface and the RTSP stream URL.
This repository contains a Python exploit (rce.py) targeting TP-LINK Tapo c200 IP cameras running firmware version 1.1.15 and below (CVE-2021-4045). The exploit leverages an unauthenticated remote code execution vulnerability by sending a crafted JSON payload to the camera's HTTPS interface on port 443. The payload abuses the 'setLanguage' method to inject a shell command that establishes a reverse shell connection to the attacker's machine on port 5202 using netcat. The exploit script also starts a netcat listener on the attacker's machine to receive the shell. The repository includes a README with a brief description and references. The main code file is rce.py, written in Python, and the attack is network-based, requiring only the victim's IP and the attacker's IP as input.
This repository contains a working exploit for CVE-2021-4045, a command injection vulnerability in TP-Link Tapo C200 IP cameras (firmware <1.1.16 Build 211209 Rel. 37726N). The exploit is implemented in 'pwntapo.py', a Python script that provides two main attack modes: 'shell' (spawns a root reverse shell to the attacker's machine) and 'rtsp' (sets up attacker-controlled RTSP credentials and enables video stream access). The exploit works by sending a crafted JSON payload via an unauthenticated POST request to the camera's root endpoint over HTTPS (port 443). The payload abuses the 'setLanguage' method, which is vulnerable to command injection due to improper input sanitization. The script disables SSL warnings, constructs the payload, and sends it to the target. For the reverse shell, it listens on port 1337 and injects a netcat-based shell command. For RTSP access, it sets new credentials and restarts the streaming service. The repository includes a detailed README explaining the vulnerability, binary analysis, and exploitation steps. No authentication is required for exploitation, making this a critical remote code execution vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific CVE included in TuxBot's exploit VM set, but the VM is completely broken due to a magic mismatch and never executes.
An unauthenticated remote code execution vulnerability affecting the TP-Link Tapo C200.
An unauthenticated remote code execution vulnerability affecting the TP-Link Tapo C200.
An unauthenticated remote code execution (RCE) vulnerability affecting the TP-Link Tapo C200 camera.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.