CRITICAL🇵🇱 Wersja polska

CVE-2025-65294

CVSS 9.8v3.1pub. 2025-12-10upd. 2025-12-17

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution.

🤖 AI Analysis
How it works

Aqara Hub device firmware contains an undocumented remote access interface that does not require authentication or user interaction. Through this mechanism, an attacker can transmit and execute arbitrary system commands on the device (CWE-94 — improper control of generation of code). The attack vector is network-based, without the requirement of any privileges or physical access to the device.

Impact

An attacker can gain full control over the device, which includes confidentiality, integrity, and availability of the system — data reading, configuration modification, execution of arbitrary commands, and potential use of the device as an entry point to the local network are possible.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Until the fix is deployed, it is recommended to isolate Aqara Hub devices from public network access, for example through network segmentation or firewall restriction of access to trusted hosts only.

Who is affected

Aqara Camera Hub G3 firmware 4.1.9_0027, Aqara Hub M2 firmware 4.3.6_0027, Aqara Hub M3 firmware 4.3.6_0025

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Aqara Camera Hub G3

    HW
    Aqara
    wszystkie wersje
  • Aqara Camera Hub G3 Firmware

    OS
    Aqara
    4.1.9_0027
  • Aqara Hub M2

    HW
    Aqara
    wszystkie wersje
  • Aqara Hub M2 Firmware

    OS
    Aqara
    4.3.6_0027
  • Aqara Hub M3

    HW
    Aqara
    wszystkie wersje
  • Aqara Hub M3 Firmware

    OS
    Aqara
    4.3.6_0025
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-65291HIGH7.4ten sam produkt

Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate se...

CVE-2025-65297HIGH7.5ten sam produkt

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 automatically c...

CVE-2025-65292HIGH7.3ten sam produkt

Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, an...

CVE-2025-65290HIGH7.4ten sam produkt

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validat...

CVE-2025-65295HIGH8.1ten sam produkt

Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_00...