Watchful IP

Zyxel DX3301-T0/EX3301-T0 Router Post Auth Vulnerability for root shell. Bootloader vulnerability for full debug commands access. General Notes #infosec #zyxel #iot watchfulip.github.io

TP-Link Tapo C200 security analysis and exploitation evilsocket.net/2025/12/18/TP-… Research by @evilsocket #infosec

Zyxel has published 2 CVEs for some vulns I found :D CVE-2025-13943: Authenticated command injection in log export CGI CVE-2025-13942: Unauthenticated command injection in UPnP daemon I will blog about this in the coming months. Meanwhile, exploits here: github.com/hacefresko/CVEs

@hacefresko Nice. My one for CVE-2026-1459 disclosed the same advisory is here. watchfulip.github.io/28-12-25/zyxel…

@0xor0ne Now issued CVE ID CVE-2026-1459 zyxel.com/global/en/supp…

Getting root shell on an ISP branded Zyxel DX3301-T0/EX3301-T0 Router by @Watchful_IP watchfulip.github.io/28-12-25/zyxel… #embedded #infosec

@WeldPond There are of course exceptions. Should it work this way? Probably not - but at the same time security researchers spend many hours finding a vulnerability or doing contracted security testing and have to earn a living. Anything important I find I make sure it gets fixed.

@WeldPond In my experience this is usally how it works which is why my disclosure blog stays mostly silent unless it's a personal project or the vendor has a no bug bounty policy. If the vendor does publically disclose at all there is often a tendancy to downplay the impact/severity.

In order to collect a bug bounty, a researcher was required to sign an NDA to not discuss the vulnerability. zuernerd.github.io/blog/2026/01/2…

@AIengineerlife @0xor0ne I'm not aware of in the wild exploitation - Zyxel PSIRT were sent my formal report (linked in my blog post) ahead of publication. The FW of other platforms I checked appear to no longer be vulnerable, with one exception they are actively reviewing (not yet confirmed vulnerable).

@0xor0ne @Watchful_IP Post-auth root shell on Zyxel routers is concerning given their deployment in SOHO environments. Has there been any indication of active exploitation? Worth checking if this affects other models in the DX/EX series with similar firmware.

Zyxel DX3301-T0/EX3301-T0 Router Post Auth Vulnerability for root shell by @Watchful_IP watchfulip.github.io/28-12-25/zyxel… #embedded #infosec

@0xor0ne @quarkslab Fascinating.

Reverse engineering and dumping firmware from a low-cost smartwatch blog.quarkslab.com/modern-tale-bl… Credits Damien Cauquil (@quarkslab) #infosec

@evilsocket You are more than welcome my friend - as security researchers we all know exactly how fun those rabbit holes can be or what treasures we might find :)

@Watchful_IP 100% thank you so much for offering such big shoulder to hop on, real fun weekend rabbit hole 🙏

150 days after initial disclosure, here is the writeup (link in the comments to make the algo happy). TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering

For the embedded security enthusiast, here’s a list of resources of vuln researchers inspecting the TP-Link security camera(s): >By @evilsocket : TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering : evilsocket.net/2025/12/18/TP-… >By (me🤓): Exploiting n-day in Home Security Camera: pwner.gg/blog/2024-01-0… >By @Watchful_IP : Link (Tapo) C210 cloud camera: bootloader vulnerability and firmware decryption : watchfulip.github.io/28-12-24/tp-li… >By @two06 : Hacking a Tapo TC60 Camera : @two06/hacking-a-tapo-tc60-camera-e6ce7ca6cad1" target="_blank" rel="nofollow noopener">medium.com/@two06/hacking… >By @drmnsamoliu : Tapo C200 IP camera research project : drmnsamoliu.github.io/index.html

@evilsocket Great research and excellent write up. Glad my own helped out/saved time :)

Link to the post > evilsocket.net/2025/12/18/TP-…

@kindnessuae @0xor0ne Totally valid point. Unfortunately in many cases if you want to collect a bug bounty you have to sign an NDA/contract which prevents you from publishing or CVE assignment etc. The vast majority of my finds will never therefore be known except to the relevant vendor.

@Watchful_IP @0xor0ne Sharing your findings openly, rather than keeping them in a closed report, really elevates the conversation. This candid approach strengthens the infosec community.

TP-Link (Tapo) C210 cloud camera: bootloader vulnerability and firmware decryption watchfulip.github.io/28-12-24/tp-li… Credits @Watchful_IP #embedded #infosec

@kindnessuae @0xor0ne Thank you my friend - I appreciate those kind words. This was just a fun personal project for me which meant I didn't have to write a dry confidential formal report that very few people would actually read. Made a nice change to share for once.

@0xor0ne @Watchful_IP Uncovering bootloader gaps and decrypting firmware with UART is no small feat. Acknowledging GPL compliance while revealing real flaws reflects the rigor infosec research demands.

@0xor0ne @qkaiser Interesting! Very different than the TP-Link (Tapo) C210 V2 target I looked at. @qkaiser Surpised yours still let you get uboot shell using 'slp' x.com/0xor0ne/status…

Root access on the TP-Link Tapo C200 Rev.5 by @qkaiser quentinkaiser.be/security/2025/… #infosec #embedded

@devwizardoh @0xor0ne Thanks my friend :) When (non tech) people ask what I do, I usually say I try to find the weakness in products on the Internet to get them fixed before the bad guys can use them to hurt people. Bug bounties are of course a nice bonus.

@Watchful_IP @0xor0ne Awesome to see you back, @Watchful_IP! Your TP-Link C210 V2 deep dive is pure gold. Can't wait for more insights from you! Let's keep pushing the boundaries of IoT security.

TP-Link (Tapo) C210 V2 cloud camera: bootloader vulnerability and firmware decryption Interesting write up by @Watchful_IP watchfulip.github.io/28-12-24/tp-li… #embedded #infosec

@MuruganSiddha45 @0xor0ne Thanks very much and to @0xor0ne for sharing it. I find these kind of write ups interesting and hoped others would also.

@0xor0ne @Watchful_IP Great Share

@devwizardoh @0xor0ne Thanks for your kind words :) Haven't been able to share any work for 3 years, but always read @0xor0ne posts, and wanted to share the approaches I took with this one.

@0xor0ne @Watchful_IP Great deep dive into TP-Link C210 V2! The root shell access part is gold. Love the thorough ethical approach. Now, who's up for more IoT tinkering?

@AbcXyz03921267 @0xor0ne I thought the way I fixed a corrupted romfs partition was interesting so thought I'd write it up. And overall it was just nice to be able to share something after years of having to be publicly silent. If an RCE I'd have had to follow normal CVD procedure with the vendor.

@0xor0ne @Watchful_IP This is quality work. I'm just pointing out the market trend with IP cam firmware

Security analysis of a TP-Link (Tapo) C210 V2 cloud camera: bootloader vulnerability and firmware decryption Interesting write up by @Watchful_IP watchfulip.github.io/28-12-24/tp-li… #embedded #infosec

@AbcXyz03921267 @0xor0ne No analysis of the network attack surface, or cloud infrastructure was made at all. As this was not contacted testing work, I was just focused on having fun with it. Hopefully the firmware decryption tool I published will be of interest, especially with TP-Link ban in the news.