CVE-2025-53649
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-07-29
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| switchbot | switchbot_app | 9.13 |
| switchbot | switchbot_app | 6.24 |
| switchbot | switchbot_app | 9.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the SwitchBot app for iOS and Android (versions V6.24 through V9.12) involves the insertion of sensitive user information into log files stored locally on the device. If an attacker gains access to these application logs, they could potentially expose sensitive user data. The issue has been fixed in version V9.13 by removing and improving the log storage mechanism. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability could expose sensitive user information to an attacker who has access to the app's local log files on your device. Although the logs are normally stored locally and not accessible externally, there is a rare risk of data leakage. No cases of data leakage or misuse have been reported so far. Updating the app to version V9.13 or later mitigates this risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves sensitive information being inserted into local log files by the SwitchBot app versions V6.24 through V9.12. Detection would involve inspecting the application log files on the device for sensitive data exposure. Since the logs are stored locally on the device and not transmitted over the network, network detection is unlikely. Specific commands are not provided in the resources, but a practical approach would be to access the device's file system and search for log files related to the SwitchBot app, then examine their contents for sensitive information. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the SwitchBot app to version 9.13 or later on both iOS and Android devices. This update removes and improves the log storage mechanism to prevent sensitive information from being stored in log files. After updating, new log files generated within approximately four days will no longer pose the security risk. [1, 2]