TP-Link acknowledged security reports but…

Cyber Security & Hacking
1

Did nothing until the research was made public.

Simone Margaritelli / Evilsocket followed the TP-Link process to disclose things responsibly.

Here is the timeline

:spiral_calendar: July 22, 2025: Sent initial report to TP-Link’s security team (security@tp-link.com) with full technical details, PoC exploits and videos. All compiled according to their guidelines.

:spiral_calendar: July 22, 2025: Acknowledgment received.

:spiral_calendar: August 22, 2025: TP-Link confirms they’re still reviewing the report

:spiral_calendar: September 27, 2025: TP-Link responds and sets the timeline for the remediation patch to the end of November 2025.

:spiral_calendar: November 2025: Nothing happens.

:spiral_calendar: December 1, 2025: Sent follow up email, no response.

:spiral_calendar: December 4, 2025: Sent another follow up email, which TP-Link responds to, further postponing the patch to the following week. The following week: Nothing happens.

:spiral_calendar: December 19, 2025: Public disclosure after 150 days.

:spiral_calendar: December 20, 2025: TP-Link finally publishes a security advisory for CVE-2025-8065, CVE-2025-14299 and CVE-2025-14300.

:page_facing_up: Research write-up: TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering | evilsocket

I have talked to a lot of people in security who agree that TP-Link becoming a CNA was not so they could better process their vulnerabilities, but so they could control the process in a way that favors them.

Patrick Garrity :alien_monster::skateboard::blue_heart: is quite the expert on this topic has talked about TP-Link before #cybersecurity #infosecurity #riskmanagement #vulnerabilitymanagement | Patrick Garrity 👾🛹💙

1 Like
2

TP-Link just doesnt care.

1 Like
3

Alternate title suggestion: How to destroy trust and alienate your customers

I honestly find it baffling that businesses actually choose to operate this way…

4

What scares me, in addition to the countless times this keeps happening, is that they are a damn near SECRET Chinese company. They seem to have tried to wipe all mention of them being Chinese off the internet from the research I’m able to do. Also how do you have 2 world headquarters as a business (Singapore and US)???

At least Gl.iNet is open about them being in Hong Kong… though that’s scary if you’ve kept up on what the mainland has done to the poor folks in Hong Kong over the last few years.

And before someone points out that “everyone makes their stuff in China so what’s the difference”… um, it’s called who owns your business and who do you have to report to in the end.

Why does China want google’s “cartographer” software running on US robot vacuums and REQUIRE them to send back info to Chinese servers???

etc etc etc

1 Like