An issue in the TP-Link MQTT Broker and API gateway of TP-Link Kasa KP125M v1.0.3 allows attackers to establish connections by impersonating devices owned by other users.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.