Security Advisory: Information Disclosure Vulnerabilities on Kasa EC70 and EC71 (CVE-2026-9770 & CVE-2026-13230)
TP-Link has identified multiple vulnerabilities affecting Kasa EC70 v4 and EC71 v4 devices. These vulnerabilities may allow attackers on the local network to access sensitive information under certain conditions.
Description of vulnerabilities and impact:
CVE-2026-9770: Hardware Cryptographic Key Information Disclosure Vulnerability
A hardcoded cryptographic key is embedded in the system image, allowing an attacker on the local network to compromise the confidentiality of communications with the device’s web management interface.
Successful exploitation may allow attacker to conduction MITM attacks and intercept or obtain administrative credentials.
CVSS v4.0 Score: 8.6 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVE-2026-13230: Information Disclosure Vulnerability in Local Discovery Response
The local discovery mechanism exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses.
The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.
CVSS v4.0 Score: 5.3 / Medium
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Affected Product Model |
CVE |
Fixed Version |
|
Kasa EC70 v4
Kase EC71 v4 |
CVE-2026-9770 CVE-2026-13230
CVE-2026-9770 CVE-2026-13230 |
2.4.0 Build 20260520 rel.4191
2.4.0 Build 20260520 rel.4191 2.4.1 Build 20260621 rel.76536 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Follow the instructions to update to the latest firmware version to fix the vulnerabilities:
US: Download for EC70 | TP-Link
EN: Download for EC70 | TP-Link
- Update the Kasa app on your mobile device.
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.