CVE-2025-4975 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting the TP-Link Tapo app, which manages TP-Link smart devices. The vulnerability arises when a low battery notification is sent to a user who has shared access to a device. If the user taps this notification, the app erroneously grants them full access to the device's power settings, bypassing the intended access control restrictions. This escalation of privileges occurs without requiring additional authentication or user interaction beyond tapping the notification. The vulnerability is due to improper authorization checks in the app's notification handling logic, allowing shared users to perform actions reserved for device owners or administrators. The CVSS 4.0 vector indicates that the attack requires local access (AV:L), low complexity (AC:L), no user interaction (UI:N), and low privileges (PR:L), with limited impact on availability and integrity but some impact on confidentiality. No patches have been linked yet, and no known exploits are reported in the wild. The vulnerability could allow unauthorized users to manipulate device power settings, potentially disrupting device operation or causing denial of service. This issue highlights the importance of strict authorization enforcement in IoT device management applications, especially when sharing device access among multiple users.

For European organizations, especially those deploying TP-Link Tapo smart devices in office environments, smart buildings, or home offices, this vulnerability could lead to unauthorized control over device power settings. This could disrupt device availability, cause operational downtime, or enable denial of service by turning devices off or altering power configurations. In environments relying on these devices for security, environmental controls, or critical infrastructure monitoring, such unauthorized access could degrade operational integrity and availability. Additionally, unauthorized users gaining elevated privileges may lead to further lateral movement or exploitation within the network if devices are interconnected. Although the vulnerability does not directly expose sensitive data, the ability to control device power states can impact service continuity and trust in IoT device management. The medium severity suggests moderate risk but should not be overlooked given the increasing reliance on smart devices in European enterprises and homes.

Organizations should monitor TP-Link's official channels for patches addressing CVE-2025-4975 and apply updates promptly once available. Until patched, administrators should limit device sharing to trusted users only and review shared user privileges within the Tapo app to minimize exposure. Disabling notifications related to device battery status for shared users, if configurable, can reduce the attack surface. Network segmentation of IoT devices can limit the impact of compromised devices. Additionally, implementing monitoring to detect unusual changes in device power settings or unauthorized access attempts can provide early warning. Educating users about the risks of interacting with notifications from shared devices and enforcing strong authentication policies for device management apps can further reduce risk. Finally, organizations should consider alternative device management solutions if critical operations depend on these devices and the vulnerability remains unpatched.