CVE-2025-65295
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aqara | hub_m2_firmware | 4.3.6_0027 |
| aqara | hub_m2 | * |
| aqara | hub_m3_firmware | 4.3.6_0025 |
| aqara | hub_m3 | * |
| aqara | camera_hub_g3_firmware | 4.1.9_0027 |
| aqara | camera_hub_g3 | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
