TP-Link fixed a critical flaw that exposed over 32 VIGI C and VIGI InSight camera models to remote hacking, with over 2,500 internet-exposed devices identified.

TP-Link fixed a high-severity flaw, tracked as CVE-2026-0629 (CVSS score 8.7), affecting over 32 VIGI C and VIGI InSight camera models. The vulnerability lets attackers on a local network bypass authentication by abusing the password recovery feature, reset the admin password, and take full control of the cameras.

“Authentication bypass in the password recovery feature of the local web interface in VIGI cameras allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state” reads the advisory. “Attackers can gain full administrative access to the device, compromising configuration and network security.”

TP-Link’s VIGI cameras are professional video surveillance (CCTV) cameras made by TP-Link under its VIGI product line, which targets business and enterprise users, not home consumers.

Researcher Arko Dhar from Redinent Innovations reported the vulnerability.

The researcher told SecurityWeek that attackers could exploit the flaw remotely and that, in October 2025, he found over 2,500 internet-exposed vulnerable cameras. He pointed out that he checked only one model, so the real number of exposed devices is likely much higher.

A hack of TP-Link VIGI cameras can expose live and recorded video, enable spying and physical intrusions, allow attackers to move inside corporate networks, build botnets for DDoS attacks, tamper with evidence, disrupt operations, and create legal and regulatory risks due to privacy violations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini****

(SecurityAffairs** – TP-Link VIGI camera, IoT)**