CVE-2025-65295
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aqara | hub_m2_firmware | 4.3.6_0027 |
| aqara | hub_m2 | * |
| aqara | hub_m3_firmware | 4.3.6_0025 |
| aqara | hub_m3 | * |
| aqara | camera_hub_g3_firmware | 4.1.9_0027 |
| aqara | camera_hub_g3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple issues in the Aqara Hub firmware update process for certain devices. Attackers can install malicious firmware because the devices do not properly verify firmware signatures during updates. They use outdated cryptographic methods that can be exploited to forge valid signatures, and they also expose sensitive information through improperly initialized memory.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could install malicious firmware on affected Aqara Hub devices, potentially gaining unauthorized control or access. This could lead to compromised device functionality, data breaches, or further attacks on the network where the device is deployed.