TP-Link has addressed a critical security vulnerability affecting more than 32 models of its VIGI C and VIGI InSight professional surveillance cameras. The flaw allowed attackers on a local network to bypass authentication by exploiting a weakness in the password recovery process, potentially giving them full administrative control over the devices.
Security researcher Arko Dhar from Redinent Innovations discovered the vulnerability, which is tracked as CVE-2026-0629 and carries a high-severity rating. By manipulating the client-side state of the camera's web interface, an unauthorized user could reset the administrator password without needing any verification. This access would allow a malicious actor to completely compromise the camera's configuration and the security of the broader network it resides on.
The VIGI product line is specifically designed for business and enterprise environments rather than residential use. Because these cameras are professional tools, a successful exploit could lead to serious consequences, including the exposure of live and recorded video feeds and the ability for hackers to spy on sensitive locations. Beyond simple privacy concerns, these devices could be used as a gateway for attackers to move laterally through a corporate network.
The scale of the issue is significant, as the researcher identified over 2,500 vulnerable devices directly exposed to the internet during his investigation in late 2025. This figure likely represents only a fraction of the total risk, given that the search focused on a single model. Many of these cameras are situated in locations where security is paramount, making them prime targets for building botnets or disrupting essential business operations.
To mitigate these risks, TP-Link has released firmware updates to patch the authentication bypass. Failure to secure these devices could result in physical security breaches, the tampering of surveillance evidence, and significant legal liabilities due to privacy law violations. Organizations using these cameras are urged to update their hardware immediately to prevent unauthorized administrative access and protect their internal infrastructure.
Source: Critical TP Link VIGI Camera Flaw Enabled Remote Takeover Of Surveillance Systems
The client-side password reset manipulation is a pretty glaring oversight for enterprise gear. When your talking about 2,500+ devices exposed on the internet and potential lateral movement through corporate networks, this becomes way more than just a camera vulnerabilty. Ive worked with organizations where these surveillance systems sit on the same network as critical infrastructure, and a bypass like this could be catastrophic. The firmware patch is essential but the real lesson is about network segmentation.