HeadlinesBriefing favicon HeadlinesBriefing.com

TP-Link Kasa EC71 Vulnerabilities Patched in Firmware 2.4.1

Hacker News •
×

A security advisory for the TP-Link Kasa Spot EC71 (firmware 2.3.26) details multiple vulnerabilities remediated in 2.4.1. Authored by Christopher Childress (Bad Chemical), the disclosure followed coordinated vulnerability protocols. Two CVEs were assigned: CVE-2026-9770 (RSA/IAM) and CVE-2026-13230 (GPS).

Three primary vulnerability chains were confirmed: hardcoded fleet-wide RSA private keys (legacy 1024-bit and active 2048-bit) extractable from SPI flash; unsalted MD5 storage of user cloud credentials in config/account across filesystem partitions; and unauthenticated exposure of precise GPS coordinates. The GPS issue has been publicly known across TP-Link cameras since 2020. A secondary market attack path enables recovery of previous owner credentials and GPS data from factory-reset devices.

The coordinated disclosure timeline spanned January to July 2026, including documented triage failures and a permanently bricked test device during beta validation (2.4.0). Final validation of 2.4.1 completed June 25, 2026, with staged rollout beginning late June. The advisory was published July 16, 2026. Vendor CVSS 4.0 score for CVE-2026-9770 is 8.6.