CVE-2025-65292

|
CVE-2025-65292 vulnerability security high severity command injection Aqara Hub IoT security CVE database root privileges domain name

Summary

CVE-2025-65292 is a high-severity command injection vulnerability affecting Aqara Hub devices. This flaw allows a remote attacker to execute arbitrary commands with root privileges by exploiting a weakness in the handling of domain names within the device's firmware.

Successful exploitation of this vulnerability can lead to complete compromise of the affected Aqara Hub, potentially allowing attackers to control connected devices, access sensitive data, and establish a persistent foothold within the network.

Technical Details

The command injection vulnerability (CVE-2025-65292) stems from insufficient sanitization of user-supplied input, specifically domain names, within the Aqara Hub's firmware. The affected devices improperly process domain names, allowing an attacker to inject arbitrary commands into the system's command-line interpreter. This occurs because the firmware uses the provided domain name in a system call without proper escaping or validation.

An attacker can craft a malicious domain name containing shell metacharacters (e.g., semicolons, backticks, pipes) and inject it into a configuration setting or network request processed by the Aqara Hub. When the device attempts to resolve or process this domain name, the injected commands are executed with root privileges, granting the attacker full control over the device.

The vulnerability is triggered when the Aqara Hub attempts to resolve a user-provided domain name. The device's firmware constructs a system command using the domain name without proper sanitization. This allows an attacker to inject arbitrary commands into the system call, which are then executed with root privileges.

Affected Products and Versions

The following Aqara Hub devices and firmware versions are confirmed to be affected by CVE-2025-65292:

  • Aqara Camera Hub G3: Firmware version 4.1.9_0027
  • Aqara Hub M2: Firmware version 4.3.6_0027
  • Aqara Hub M3: Firmware version 4.3.6_0025

Users of these devices are strongly advised to take immediate action to mitigate the vulnerability.

Impact Assessment

Successful exploitation of CVE-2025-65292 can have severe consequences for affected users and organizations. The ability to execute arbitrary commands with root privileges allows an attacker to:

  • Gain complete control of the Aqara Hub: This includes the ability to modify device settings, install malicious software, and intercept network traffic.
  • Compromise connected devices: An attacker can leverage the compromised hub to control or compromise other devices connected to the Aqara ecosystem, such as smart lights, sensors, and locks.
  • Access sensitive data: The attacker may be able to access stored credentials, configuration files, and other sensitive information stored on the hub or transmitted through it.
  • Establish a persistent foothold: The attacker can install backdoors or other persistent mechanisms to maintain access to the compromised device and network, even after a reboot.
  • Launch further attacks: The compromised hub can be used as a launching point for attacks against other devices on the network or external systems.

Remediation

Addressing CVE-2025-65292 requires immediate action to mitigate the risk of exploitation. Aqara has released firmware updates to address this vulnerability. Users are strongly advised to update their devices to the latest available firmware as soon as possible.

Immediate Actions

  • Update Firmware: Immediately update your Aqara Hub devices to the latest available firmware version provided by Aqara. This is the primary and most effective way to address the vulnerability.
  • Monitor Network Traffic: Monitor network traffic for suspicious activity originating from your Aqara Hub devices. Look for unusual connections, data transfers, or command execution attempts.
  • Isolate Affected Devices: If immediate patching is not possible, consider isolating the affected Aqara Hub devices from the rest of your network to limit the potential impact of a successful attack.

Long-term Solutions

  • Enable Automatic Updates: Enable automatic firmware updates on your Aqara Hub devices to ensure that they receive security patches promptly.
  • Implement Network Segmentation: Segment your network to isolate IoT devices from critical systems. This can help to limit the impact of a successful attack on one device.
  • Use Strong Passwords: Ensure that all devices on your network, including Aqara Hubs, use strong and unique passwords.
  • Regular Security Audits: Conduct regular security audits of your network and IoT devices to identify and address potential vulnerabilities.

References

Detection & Scanning

Detecting CVE-2025-65292 involves identifying vulnerable Aqara Hub devices and monitoring for suspicious activity indicative of exploitation. Network intrusion detection systems (IDS) can be configured to detect attempts to inject commands through malicious domain names. Vulnerability scanners can also be used to identify devices running vulnerable firmware versions.

Scan Your Network for Vulnerabilities

Secably AI Scanner can automatically detect CVE-2025-65292 and other vulnerabilities on your network. Identify vulnerable devices and prioritize remediation efforts.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan