CVE-2022-32504
📋 TL;DR
A stack buffer overflow vulnerability in Nuki smart lock devices allows remote code execution by sending specially crafted JSON objects via WebSocket. This affects Nuki Smart Lock 2.0/3.0 and Nuki Bridge v1/v2 devices with outdated firmware, potentially enabling attackers to take control of smart locks.
💻 Affected Systems
- Nuki Smart Lock 2.0
- Nuki Smart Lock 3.0
- Nuki Bridge v1
- Nuki Bridge v2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of smart lock device allowing attacker to unlock doors remotely, disable security features, or use device as pivot point into home network.
Likely Case
Unauthorized access to physical premises through manipulated smart lock functionality.
If Mitigated
No impact if devices are updated to patched firmware versions and isolated from untrusted networks.
🎯 Exploit Status
Exploitation requires network access to device WebSocket service. Technical details and proof-of-concept are publicly available in NCC Group advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Smart Lock 3.0: 3.3.5+, Smart Lock 2.0: 2.12.4+, Bridge v1: 1.22.0+, Bridge v2: 2.13.2+
Vendor Advisory: https://nuki.io/en/security-updates/
Restart Required: Yes
Instructions:
1. Open Nuki app on mobile device. 2. Navigate to device settings. 3. Check for firmware updates. 4. Apply available updates. 5. Device will restart automatically after update.
🔧 Temporary Workarounds
Network isolation
allPlace Nuki devices on isolated VLAN or network segment without internet access
Disable remote access
allTurn off WebSocket service or disable remote access features in Nuki app
🧯 If You Can't Patch
- Disconnect devices from network entirely and use only Bluetooth/local access
- Implement strict network firewall rules blocking all inbound connections to Nuki devices
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Nuki app: Settings > Device Information > Firmware VersionCheck Version:
No CLI command - use Nuki mobile app interfaceVerify Fix Applied:
Confirm firmware version matches or exceeds patched versions listed in fix_official section📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connection patterns
- Multiple failed JSON parsing attempts
- Device restart events
Network Indicators:
- Unusual traffic to Nuki device ports (default 8080/TCP)
- Malformed JSON payloads in WebSocket traffic
SIEM Query:
source="network_firewall" dest_port=8080 AND protocol="websocket" AND payload_size>threshold🔗 References
- https://latesthackingnews.com/2022/07/28/multiple-security-flaws-found-in-nuki-smart-locks/
- https://nuki.io/en/security-updates/
- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/
- https://www.hackread.com/nuki-smart-locks-vulnerabilities-plethora-attack-options/
- https://latesthackingnews.com/2022/07/28/multiple-security-flaws-found-in-nuki-smart-locks/
- https://nuki.io/en/security-updates/
- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/
- https://www.hackread.com/nuki-smart-locks-vulnerabilities-plethora-attack-options/
