CVE-2025-65292
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aqara | hub_m2_firmware | 4.3.6_0027 |
| aqara | hub_m2 | * |
| aqara | hub_m3_firmware | 4.3.6_0025 |
| aqara | hub_m3 | * |
| aqara | camera_hub_g3_firmware | 4.1.9_0027 |
| aqara | camera_hub_g3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Aqara Hub devices, including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025. It allows attackers to execute arbitrary commands with root privileges by using malicious domain names.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary commands with root privileges on affected Aqara Hub devices. This could lead to full control over the device, unauthorized access to data, disruption of device functionality, or use of the device as a foothold for further attacks within a network.