The researcher who discovered the vulnerability saw more than 2,500 internet-exposed devices.
January 19, 2026 By Eduard Kovacs
TP-Link has patched a serious vulnerability that can be exploited to take control of more than 32 of its VIGI C and VIGI InSight series professional surveillance camera models.
The security hole, tracked as CVE-2026-0629 and classified as high severity, is described in a TP-Link advisory published last week as an authentication bypass flaw affecting the password recovery feature in the cameras’ local web interface.
The flaw, according to TP-Link, “allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state”, enabling them to gain full admin access to the device.
The vulnerability was discovered by Arko Dhar, co-founder and CTO of IoT cybersecurity company Redinent Innovations.
Dhar told SecurityWeek that an attacker could exploit the vulnerability to gain complete access to the targeted camera, including its video feed and other functionality.