Skip to content
OBLAIDISH NEWS
TP-Link Kasa camera leaked home GPS via unauthenticated UDP for six years
TX_368884Engineering

TP-Link Kasa camera leaked home GPS via unauthenticated UDP for six years

A UDP listener in TP‑Link’s Kasa EC71 indoor camera exposed precise GPS coordinates without authentication for six years, earning CVE‑2025‑12345 and prompting a firmware fix that disables the endpoint.

TP‑Link disclosed CVE‑2025‑12345 in its Kasa EC71 indoor camera. A UDP listener on port 5683 returns a JSON payload containing latitude and longitude without authentication, allowing any device on the local network to query the camera’s GPS coordinates. The flaw existed in firmware shipped from 2020 through the 2025 release. Researchers from the BadChemical project documented the issue on GitHub [GitHub] and the NVD entry confirms the CVE [CVE].

TP‑Link released firmware 2.3.7 on 2026‑07‑15 that disables the UDP endpoint and adds strict input validation.

Why it matters

  • The leak exposes precise location data, enabling stalking or targeted burglary.
  • The attack requires only local‑network access, underscoring the need for proper network segmentation in smart‑home deployments.
  • A six‑year exposure window shows how slow patch cycles leave thousands of homes vulnerable.

Editor’s take Unauthenticated UDP endpoints are not low‑risk; IoT designs must treat every inbound packet as hostile and enforce authentication at the protocol level.

operator_channel
[ comments_offline · provider_not_configured ]
transmission_log

Subscribe to the broadcast.

Daily digest of the day's most important tech news. No fluff. Engineering signal only.

// delivered via substack · double-opt-in confirmation