# Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access # Date: 19th July 2022 # Exploit Author: dsclee1 # Vendor Homepage: tp-link.com # Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin # Version: 1.3.0 # Tested on: Linux – running on camera # CVE : CVE-2022-37255 These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera. You can gain unauthorised access to the RTSP stream using the following user details: User: --- Password: TPL075526460603