CVE-2025-65291
📋 TL;DR
Aqara Hub devices fail to validate TLS server certificates during discovery and CoAP communications, allowing man-in-the-middle attackers to intercept and manipulate device control and monitoring traffic. This affects users of specific Aqara Hub models running vulnerable firmware versions. Attackers could potentially gain unauthorized control over smart home devices.
💻 Affected Systems
- Aqara Hub M2
- Aqara Hub M3
- Aqara Camera Hub G3
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of smart home ecosystem - attackers could control lights, locks, cameras, and other IoT devices, potentially enabling physical security breaches, surveillance, or safety hazards.
Likely Case
Interception of device status and control commands, allowing attackers to monitor home activity, manipulate device states, or disrupt smart home operations.
If Mitigated
Limited impact if devices operate on isolated networks with strict access controls and certificate pinning implemented at network level.
🎯 Exploit Status
Exploitation requires network access to intercept TLS traffic; public GitHub repository contains technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Monitor Aqara official channels for firmware updates. 2. Check device firmware version in Aqara app. 3. Apply any available updates through the app.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Aqara Hub devices on separate VLAN with strict firewall rules preventing external communication.
Disable Remote Access
allTurn off cloud/remote access features in Aqara app to limit attack surface.
🧯 If You Can't Patch
- Segment IoT devices on isolated network with no internet access
- Implement network monitoring for unusual CoAP/TLS traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version in Aqara app: Settings > About > Firmware Version. Compare against affected versions.Check Version:
Not applicable - use Aqara mobile app interfaceVerify Fix Applied:
Verify firmware version has been updated to a version later than those listed in affected systems.📡 Detection & Monitoring
Log Indicators:
- Unusual CoAP traffic patterns
- Failed TLS handshakes with discovery services
- Multiple connection attempts from unexpected sources
Network Indicators:
- Man-in-the-middle TLS interception attempts on port 5684 (CoAP)
- Unencrypted CoAP traffic where TLS expected
- Suspicious ARP or DNS spoofing activity
SIEM Query:
source="network_traffic" AND (port=5684 OR protocol="CoAP") AND (tls_validation="failed" OR certificate_validation="bypassed")