Platform
other
Component
vigi-insight-sx45-series-camera
Fixed in
3.1.0_Build_250820_Rel.57668n
3.1.0_Build_250820_Rel.58873n
3.0.2_Build_250630_Rel.71279n
1.1.1_Build_250625_Rel.64224n
1.2.0_Build_250820_Rel.60930n
1.2.0_Build_250827_Rel.66817n
3.1.0_Build_250625_Rel.65381n
CVE-2026-0629 describes an authentication bypass vulnerability affecting VIGI InSight Sx45 Series Cameras running versions 0 through 3.1.0. This flaw allows an attacker within the local network (LAN) to manipulate client-side state and reset the administrator password without proper verification. Successful exploitation grants the attacker complete administrative control over the device, potentially compromising network security and device configuration. The vulnerability has been fixed in version 3.1.0Build250820_Rel.58873n.
The impact of CVE-2026-0629 is significant. An attacker who successfully exploits this vulnerability gains full administrative access to the VIGI InSight Sx45 Series Camera. This allows them to modify device settings, access recorded footage, and potentially use the camera as a pivot point to compromise other devices on the same network. The ability to reset the administrator password bypasses standard authentication mechanisms, making it a particularly dangerous vulnerability. The lack of verification during the password recovery process is the root cause, enabling attackers to easily manipulate the system. This is similar to other authentication bypass vulnerabilities where client-side state is not properly validated.
CVE-2026-0629 was publicly disclosed on 2026-01-16. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The EPSS score is pending evaluation, but the ease of exploitation suggests a potential for medium-level risk.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-0629 is to upgrade the VIGI InSight Sx45 Series Camera to version 3.1.0Build250820_Rel.58873n or later. If an immediate upgrade is not possible due to compatibility issues or system downtime requirements, consider segmenting the camera on a separate VLAN to limit its access to critical network resources. Monitor network traffic for unusual activity related to the password recovery endpoint. While a direct WAF rule is unlikely to be effective, implementing strict network access controls and multi-factor authentication (if supported by the camera) can provide additional layers of defense. After upgrading, confirm the fix by attempting a password recovery from a different network segment and verifying that the process requires proper authentication.
Update your VIGI InSight Sx45 Series camera firmware to the latest version available on the TP-Link official website. This will resolve the authentication bypass vulnerability in the password recovery feature.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0629 is an authentication bypass vulnerability in VIGI InSight Sx45 Series Cameras allowing attackers to reset the admin password without verification, granting full access.
You are affected if you are using a VIGI InSight Sx45 Series Camera running versions 0–3.1.0Build250820_Rel.58873n.
Upgrade your VIGI InSight Sx45 Series Camera to version 3.1.0Build250820_Rel.58873n or later to mitigate the vulnerability.
There is currently no indication of active exploitation campaigns targeting CVE-2026-0629.
Refer to the official Dahua advisory for details and further information regarding CVE-2026-0629.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.