CVE-2026-0629 is an authentication bypass vulnerability categorized under CWE-287, affecting the TP-Link VIGI InSight Sx45 Series IP cameras (models S245, S345, S445). The vulnerability resides in the password recovery mechanism of the device's local web interface. Specifically, an attacker connected to the same local area network (LAN) can exploit a flaw in client-side state management to reset the administrator password without any authentication or verification steps. This bypass occurs because the password recovery feature does not properly validate the legitimacy of the password reset request, allowing manipulation of client-side data to trigger a reset. As a result, the attacker gains full administrative privileges on the device, enabling them to alter configurations, disable security features, or pivot within the network. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for privileges or user interaction. The vulnerability affects all versions identified as '0' (likely initial or all firmware versions prior to patching). No patches or exploits are currently publicly available, but the flaw's nature suggests it could be weaponized in targeted attacks or lateral movement scenarios within compromised networks.

For European organizations, this vulnerability presents a significant risk, especially for those using TP-Link VIGI InSight Sx45 Series cameras in enterprise, government, or critical infrastructure environments. An attacker exploiting this flaw can gain full administrative control over the affected devices, potentially leading to unauthorized surveillance, tampering with security settings, or using the compromised cameras as footholds for further network intrusion. The breach of confidentiality could expose sensitive video feeds, while integrity and availability impacts could disrupt security monitoring operations. Given the local network access requirement, organizations with poorly segmented or inadequately secured LANs are particularly vulnerable. The risk extends to sectors such as public administration, transportation, energy, and manufacturing, where these cameras may be deployed for physical security. Additionally, the lack of authentication in the password recovery process undermines trust in device security and could lead to compliance issues under European data protection regulations if personal data is exposed.

1. Immediately segment the network to isolate VIGI InSight cameras from general user LANs, restricting access to trusted management subnets only. 2. Implement strict access control lists (ACLs) on network switches and routers to limit which devices can communicate with the cameras. 3. Disable or restrict the password recovery feature if possible until a vendor patch is available. 4. Monitor network traffic for unusual password reset attempts or unauthorized access to the camera web interfaces. 5. Enforce strong physical security controls to prevent unauthorized local network access. 6. Regularly audit device configurations and logs to detect signs of compromise. 7. Engage with TP-Link for firmware updates or patches addressing this vulnerability and apply them promptly once released. 8. Consider deploying network intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting these devices. 9. Educate IT and security teams about the vulnerability and the importance of local network security hygiene. 10. For critical deployments, evaluate alternative camera solutions with stronger security postures until this issue is resolved.