CVE-2025-65297

|
CVE-2025-65297 vulnerability security high severity Aqara Hub M2 Hub M3 Camera Hub G3 data upload unencrypted data CVE database

Summary

CVE-2025-65297 is a high-severity vulnerability affecting Aqara Hub devices. Specifically, Camera Hub G3 (firmware 4.1.9_0027), Hub M2 (firmware 4.3.6_0027), and Hub M3 (firmware 4.3.6_0025) are susceptible to automatically collecting and uploading sensitive information in an unencrypted format, without explicit disclosure or consent. This unauthorized data transmission poses a significant privacy and security risk to users.

Technical Details

The vulnerability, CVE-2025-65297, stems from the Aqara Hub devices' inherent behavior of automatically collecting and transmitting sensitive user data without proper encryption or user consent. The affected devices, including the Camera Hub G3, Hub M2, and Hub M3, are programmed to gather information and upload it to remote servers. The critical flaw lies in the fact that this data is transmitted in an unencrypted format, making it vulnerable to interception and unauthorized access by malicious actors. This could include personally identifiable information (PII), device configuration data, and potentially even audio/video recordings depending on the device's capabilities and the specific data being collected. The lack of disclosure or consent further exacerbates the issue, as users are unaware that their data is being collected and transmitted in this manner, hindering their ability to take proactive measures to protect their privacy.

The automatic nature of the data collection and upload process means that the vulnerability is constantly active, posing a persistent threat to users. An attacker positioned on the same network as the Aqara Hub device, or one who has compromised the device itself, could potentially intercept the unencrypted data stream and gain access to sensitive information. The vulnerability is particularly concerning given the increasing prevalence of IoT devices in homes and businesses, and the growing awareness of the privacy risks associated with these devices.

Affected Products and Versions

The following Aqara Hub devices and firmware versions are known to be affected by CVE-2025-65297:

  • Aqara Camera Hub G3 (Firmware Version 4.1.9_0027)
  • Aqara Hub M2 (Firmware Version 4.3.6_0027)
  • Aqara Hub M3 (Firmware Version 4.3.6_0025)

Impact Assessment

Successful exploitation of CVE-2025-65297 can have significant consequences for users of affected Aqara Hub devices. The unauthorized collection and transmission of unencrypted sensitive information can lead to:

  • Data Breach Risk: Intercepted data could expose personally identifiable information (PII), device configuration details, and potentially audio/video recordings, leading to identity theft, financial fraud, and other malicious activities.
  • Privacy Violation: The lack of disclosure and consent regarding data collection constitutes a serious violation of user privacy.
  • System Compromise: While not directly leading to system compromise, the exposed data could be used to gain further access to the device or the user's network.
  • Reputational Damage: Aqara could suffer significant reputational damage due to the privacy implications of this vulnerability.

Remediation

Currently, there is no official patch or firmware update available from Aqara to address CVE-2025-65297. Users are advised to take the following steps to mitigate the risk:

Immediate Actions

  • Monitor Network Traffic: Use network monitoring tools to analyze the traffic generated by your Aqara Hub devices and identify any suspicious or unencrypted data transmissions.
  • Isolate Affected Devices: If possible, isolate the affected Aqara Hub devices on a separate network segment to limit their access to other devices and sensitive data.
  • Disable Unnecessary Features: Disable any unnecessary features or functionalities on the Aqara Hub devices that may contribute to data collection and transmission.
  • Contact Aqara Support: Contact Aqara support and urge them to release a patch or firmware update that addresses the vulnerability.

Long-term Solutions

  • Demand Transparency: Advocate for greater transparency from Aqara regarding their data collection practices and ensure that they obtain explicit user consent before collecting and transmitting any sensitive information.
  • Consider Alternative Solutions: Evaluate alternative smart home hub solutions that prioritize user privacy and data security.

References

Detection & Scanning

Detecting CVE-2025-65297 requires analyzing network traffic originating from the affected Aqara devices. Look for unencrypted data being transmitted to external servers. Tools like Wireshark can be used to capture and inspect network packets.

Scan Your Network

Secably AI Scanner can help identify vulnerable devices and potential security risks on your network.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan