CVE-2024-35495 identifies an information disclosure vulnerability in the telemetry component of TP-Link Kasa KP125M V1.0.0 and Tapo P125M 1.0.0 Build 220930 Rel.143947 smart devices. The vulnerability arises because telemetry data, which reports device state information, is transmitted over the network in a manner that can be observed by attackers without requiring authentication or elevated privileges. Specifically, an attacker can passively monitor network traffic to glean sensitive information about the device's operational state, potentially including usage patterns or configuration details. This exposure is due to insufficient protection of telemetry data in transit, likely lacking encryption or proper access controls, corresponding to CWE-319 (Cleartext Transmission of Sensitive Information). The vulnerability does not allow modification of device state or denial of service but compromises confidentiality. The CVSS v3.1 base score of 4.3 reflects a network attack vector with low complexity, no privileges required, but requiring user interaction (e.g., device communication triggering). No patches or fixes have been published yet, and no active exploitation has been reported. The vulnerability highlights risks inherent in IoT telemetry implementations, where sensitive data leakage can aid attackers in reconnaissance or profiling of devices within a network.

The primary impact of CVE-2024-35495 is the unauthorized disclosure of device state information, which can undermine user privacy and provide attackers with intelligence about device usage and network environment. While it does not allow direct control or disruption of the devices, the leaked information could facilitate targeted attacks or surveillance. For organizations deploying these devices, especially in sensitive environments, this could lead to exposure of operational patterns or presence detection. The impact is limited to confidentiality, with no direct integrity or availability consequences. However, in aggregate or combined with other vulnerabilities, this information leakage could contribute to more severe attacks. The lack of authentication and ease of exploitation over the network increase risk, particularly in unsecured or poorly segmented networks. The absence of patches means the vulnerability remains exploitable until addressed by the vendor.

To mitigate CVE-2024-35495, organizations should implement network segmentation to isolate IoT devices from critical infrastructure and sensitive data networks, reducing exposure to potential attackers. Employing encrypted communication channels, such as VPNs or secure tunnels, can protect telemetry data in transit if device firmware updates are unavailable. Monitoring network traffic for unusual patterns or unauthorized telemetry data access can help detect exploitation attempts. Disabling telemetry features where possible or limiting telemetry data transmission to trusted networks can reduce risk. Organizations should also engage with TP-Link for firmware updates or patches addressing this vulnerability and apply them promptly once available. Additionally, adopting IoT security best practices, including strong network access controls and device inventory management, will help mitigate broader risks associated with IoT telemetry data exposure.