CVE-2026-0629 is an authentication bypass vulnerability categorized under CWE-287, affecting TP-Link Systems Inc.'s VIGI InSight Sx45 Series IP cameras (models S245, S345, S445). The vulnerability resides in the password recovery mechanism of the device's local web interface. Specifically, an attacker connected to the same local area network (LAN) can exploit improper authentication controls by manipulating client-side state data during the password recovery process. This manipulation circumvents the intended verification steps, allowing the attacker to reset the administrator password without providing valid credentials or completing any authentication challenge. Once the password is reset, the attacker gains full administrative privileges on the device, enabling them to modify device configurations, potentially disable security features, intercept or redirect video streams, and pivot to other network resources. The vulnerability does not require prior authentication or user interaction, and the attack complexity is low. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, with an attack vector limited to local network access. No patches or official fixes have been published yet, and no known exploits have been observed in the wild. However, the vulnerability poses a significant risk to environments where these cameras are deployed, especially in enterprise or critical infrastructure settings where network security is paramount.

For European organizations, the impact of CVE-2026-0629 can be severe. The affected devices are network-connected surveillance cameras often used in corporate, governmental, and critical infrastructure environments. Exploitation allows attackers to gain full administrative control over these devices, which can lead to unauthorized surveillance, tampering with video feeds, disabling security monitoring, and using the compromised cameras as a foothold for lateral movement within the network. This can result in breaches of sensitive data, violation of privacy regulations such as GDPR, and disruption of security operations. The local network access requirement limits remote exploitation but does not eliminate risk, as attackers may gain LAN access through compromised endpoints, insider threats, or physical proximity. The vulnerability undermines trust in physical security controls and can have cascading effects on overall network security posture.

European organizations should implement the following specific mitigations: 1) Immediately isolate affected TP-Link VIGI InSight Sx45 cameras from sensitive network segments and restrict access to their management interfaces to trusted administrators only. 2) Employ network segmentation and VLANs to limit LAN access to these devices, preventing unauthorized users from reaching the local web interface. 3) Monitor network traffic for unusual access patterns or password reset attempts on these cameras. 4) Disable the password recovery feature if possible or restrict it via device configuration. 5) Regularly audit and update device firmware; although no patch is currently available, stay alert for vendor updates addressing this vulnerability. 6) Implement strong physical security controls to prevent unauthorized LAN access. 7) Use network access control (NAC) solutions to enforce device authentication and limit rogue device connections. 8) Consider replacing vulnerable devices with models that have verified secure authentication mechanisms if mitigation is not feasible. 9) Educate IT and security staff about this vulnerability and the importance of monitoring and controlling local network access to IoT and surveillance devices.