Click to skip the navigation bar

Security Advisory: Information Disclosure Vulnerabilities on Kasa EC70 and EC71 (CVE-2026-9770 & CVE-2026-13230)

Security Advisory
Last updated: July 15, 2026

TP-Link has identified multiple vulnerabilities affecting Kasa EC70 v4 and EC71 v4 devices. These vulnerabilities may allow attackers on the local network to access sensitive information under certain conditions.

Description of vulnerabilities and impact:

CVE-2026-9770: Hardware Cryptographic Key Information Disclosure Vulnerability

A hardcoded cryptographic key is embedded in the system image, allowing an attacker on the local network to compromise the confidentiality of communications with the device’s web management interface.

Successful exploitation may allow attacker to conduction MITM attacks and intercept or obtain administrative credentials.

CVSS v4.0 Score: 8.6 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CVE-2026-13230: Information Disclosure Vulnerability in Local Discovery Response

The local discovery mechanism exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses.

The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.

CVSS v4.0 Score: 5.3 / Medium

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Affected Product Model

CVE

Fixed Version

Kasa EC70 v4

Kase EC71 v4

CVE-2026-9770

CVE-2026-13230

CVE-2026-9770

CVE-2026-13230

2.4.0 Build 20260520 rel.4191
2.4.1 Build 20260621 rel.76536

2.4.0 Build 20260520 rel.4191

2.4.1 Build 20260621 rel.76536

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Follow the instructions to update to the latest firmware version to fix the vulnerabilities:

US: Download for EC70 | TP-Link

Download for EC71 | TP-Link

EN: Download for EC70 | TP-Link

Download for EC71 | TP-Link

  1. Update the Kasa app on your mobile device.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.

Related FAQs

Looking For More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >