CVE-2025-4975 is a medium severity vulnerability identified in the TP-Link Tapo app, a mobile application used to manage TP-Link smart home devices. The vulnerability stems from improper privilege management (CWE-269) within the app's handling of low battery notifications for shared devices. Specifically, when a device owner shares access to a TP-Link device with another user, the app sends a low battery notification to the shared user. If the shared user taps this notification, they are inadvertently granted full access to the power settings of the device, which should normally be restricted to the device owner or users with elevated privileges. This flaw allows a user with limited permissions to escalate their privileges without authentication or additional user interaction, potentially enabling them to alter device power configurations. The CVSS 4.0 vector indicates that the attack requires local access (AV:L), low complexity (AC:L), no authentication (AT:N), low privileges (PR:L), no user interaction (UI:N), and results in low impact on availability (VA:L) but no impact on confidentiality or integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects the TP-Link Tapo app, but the affected versions are not clearly specified beyond a placeholder "0". This suggests the issue may be present in initial or early versions of the app or that version details are pending. Overall, this vulnerability allows unauthorized privilege escalation through a notification interaction, which could be exploited by shared users to manipulate device power settings, potentially disrupting device operation or causing denial of service.

For European organizations, especially those deploying TP-Link Tapo smart devices in offices, facilities, or homes, this vulnerability poses a risk of unauthorized control over device power settings by users with shared access. This could lead to operational disruptions if devices are powered down or misconfigured, affecting business continuity or critical infrastructure relying on these devices. Although the impact on confidentiality and integrity is low, availability could be compromised, particularly in environments where device uptime is critical. The risk is heightened in organizations with multiple users sharing device access, such as multi-tenant buildings or collaborative workspaces. Additionally, if attackers gain physical or local network access to devices, they could exploit this flaw to escalate privileges without needing further authentication or user interaction. This could undermine trust in smart device management and potentially lead to broader security concerns if attackers use this as a foothold for lateral movement within networks.

Organizations should immediately review and restrict shared access permissions within the TP-Link Tapo app, limiting the number of users with shared device access to only those absolutely necessary. Users should be educated to avoid interacting with low battery notifications from shared devices until a patch is available. Network segmentation should be employed to isolate smart home or IoT devices from critical business networks, reducing the risk of local exploitation. Monitoring and logging of device management activities can help detect unauthorized changes to power settings. Since no patch is currently available, organizations should consider temporarily disabling shared access features or using alternative device management solutions. Once TP-Link releases a patch, prompt application of updates is essential. Additionally, TP-Link and related vendors should implement stricter privilege checks on notification interactions to ensure that only authorized users can modify device settings, and conduct thorough security testing of notification handling workflows in future app versions.