CVE-2025-65290: HIGH Severity Vulnerability | Secably CVE Database

Summary

CVE-2025-65290 is a high-severity vulnerability affecting Aqara Hub devices. The vulnerability stems from a failure to properly validate server certificates during HTTPS firmware downloads, allowing a man-in-the-middle (MitM) attacker to intercept and potentially modify firmware updates.

Technical Details

Aqara Hub devices, including the Camera Hub G3, Hub M2, and Hub M3, download firmware updates over HTTPS. However, the devices do not adequately verify the server certificate presented during the TLS handshake. This lack of proper certificate validation allows an attacker positioned in the network path between the device and the update server to intercept the communication. The attacker can then present a fraudulent certificate, impersonating the legitimate update server. The vulnerable Aqara Hub will accept this fraudulent certificate and proceed with the firmware download from the attacker's server. This allows the attacker to serve a malicious or compromised firmware image, potentially leading to full device compromise.

The vulnerability lies in the absence of crucial certificate validation steps, such as verifying the certificate's chain of trust against a trusted root certificate authority (CA) and confirming that the certificate's hostname matches the expected update server hostname. Without these checks, the device is susceptible to MitM attacks.

Affected Products and Versions

The following Aqara Hub devices and firmware versions are known to be affected by CVE-2025-65290:

Aqara Camera Hub G3 firmware version 4.1.9_0027
Aqara Hub M2 firmware version 4.3.6_0027
Aqara Hub M3 firmware version 4.3.6_0025

Other versions may also be affected. Users are advised to check with Aqara for the latest security updates.

Impact Assessment

Successful exploitation of CVE-2025-65290 can have significant consequences:

Device Compromise: An attacker can inject malicious code into the firmware, gaining control over the Aqara Hub device.
Data Breach Risk: Compromised hubs can be used to eavesdrop on network traffic, potentially exposing sensitive data transmitted by other connected devices.
Remote Control: An attacker could remotely control the compromised hub and any connected smart home devices, such as lights, locks, and cameras.
Botnet Recruitment: Compromised hubs can be recruited into botnets for malicious purposes, such as distributed denial-of-service (DDoS) attacks.
Loss of Functionality: A malicious firmware update could render the hub unusable, disrupting smart home functionality.

Remediation

To mitigate the risk posed by CVE-2025-65290, users should take the following steps:

Immediate Actions

Monitor Network Traffic: Closely monitor network traffic for any suspicious activity originating from Aqara Hub devices.
Isolate Affected Devices: Consider isolating affected devices from the main network to prevent potential lateral movement by attackers.

Long-term Solutions

Apply Firmware Updates: Aqara is expected to release firmware updates that address this vulnerability. Apply these updates as soon as they become available. Ensure the update process itself is secure and validated.
Implement Network Segmentation: Segment your network to limit the impact of a potential compromise. Place IoT devices on a separate network segment with limited access to sensitive resources.
Enable Network Intrusion Detection Systems (IDS): Deploy an IDS to detect and alert on suspicious network activity, including potential MitM attacks.

References

Report on Aqara OTA Certificate Validation Bypass

Detection & Scanning

Detecting CVE-2025-65290 requires monitoring network traffic for suspicious activity related to firmware updates from Aqara Hub devices. Look for connections to unexpected servers or the use of invalid SSL/TLS certificates. Network intrusion detection systems (IDS) can be configured to detect these types of attacks.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan