CVE-2025-65295
Last modified
CVE-2025-65295 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Aqara | Hub M2 Firmware | 4.3.6_0027 |
| Aqara | Hub M3 Firmware | 4.3.6_0025 |
| Aqara | Camera Hub G3 Firmware | 4.1.9_0027 |
References
- https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.mdExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-65295?
How severe is CVE-2025-65295?
How do I fix CVE-2025-65295?
Are you affected by CVE-2025-65295?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST