CVE-2025-65295

Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:aqara:hub_m2_firmware:4.3.6_0027:*:*:*:*:*:*:*

cpe:2.3:h:aqara:hub_m2:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:aqara:hub_m3_firmware:4.3.6_0025:*:*:*:*:*:*:*

cpe:2.3:h:aqara:hub_m3:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:aqara:camera_hub_g3_firmware:4.1.9_0027:*:*:*:*:*:*:*

cpe:2.3:h:aqara:camera_hub_g3:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-10 22:16

Updated : 2025-12-17 19:49

NVD link : CVE-2025-65295

Mitre link : CVE-2025-65295

CVE.ORG link : CVE-2025-65295

JSON object : View

Products Affected

aqara

hub_m3
hub_m2_firmware
camera_hub_g3
camera_hub_g3_firmware
hub_m3_firmware
hub_m2

CWE

CWE-326

Inadequate Encryption Strength

CWE-347

Improper Verification of Cryptographic Signature

CWE-457

Use of Uninitialized Variable

{"id": "CVE-2025-65295", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2025-12-10T22:16:27.140", "references": [{"url": "https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-347"}, {"lang": "en", "value": "CWE-457"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory."}], "lastModified": "2025-12-17T19:49:47.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:aqara:hub_m2_firmware:4.3.6_0027:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DA5251B-FBDF-4020-B4AD-8735547D7BAB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:aqara:hub_m2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A94EB182-2F3B-42B2-935E-72936E6F8F33"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:aqara:hub_m3_firmware:4.3.6_0025:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B9661B9-D471-4110-995C-04D9165DEA1F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:aqara:hub_m3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8BC51964-8CAB-4849-A383-0D7D1CA68EE2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:aqara:camera_hub_g3_firmware:4.1.9_0027:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF91CB18-CE99-4A86-A94C-7136288E8C33"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:aqara:camera_hub_g3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E823C290-E362-4BE0-9885-9A7B981134BC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}