CVE-2025-65292 – A command injection vulnerability in Aqara Hub ... (How to Fix)

Q: What is the severity of CVE-2025-65292?

CVE-2025-65292 has a CVSS score of 7.3 (HIGH). A command injection vulnerability in Aqara Hub devices allows attackers to execute arbitrary commands with root privileges by exploiting malicious domain names. This affects Aqara Camera Hub G3, Hub M2, and Hub M3 devices running specific vulnerable firmware versions. Attackers can gain complete control over affected devices.

📋 TL;DR

A command injection vulnerability in Aqara Hub devices allows attackers to execute arbitrary commands with root privileges by exploiting malicious domain names. This affects Aqara Camera Hub G3, Hub M2, and Hub M3 devices running specific vulnerable firmware versions. Attackers can gain complete control over affected devices.

💻 Affected Systems

Products:

Aqara Camera Hub G3
Aqara Hub M2
Aqara Hub M3

Versions: Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, Hub M3 4.3.6_0025

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are vulnerable in default configuration. The vulnerability is triggered through DNS resolution of malicious domain names.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, data exfiltration, lateral movement to other network devices, and participation in botnets.

🟠

Likely Case

Remote code execution leading to device takeover, surveillance compromise (for camera models), and credential harvesting from the local network.

🟢

If Mitigated

Limited impact if devices are isolated on separate VLANs with strict egress filtering and no internet exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation details are publicly available in GitHub repository. Attack requires DNS poisoning or user interaction with malicious domains.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Monitor Aqara security advisories for updates. Consider workarounds or device replacement if critical.

🔧 Temporary Workarounds

DNS Filtering and Isolation

linux

Block external DNS resolution and restrict device network access

iptables -A OUTPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p tcp --dport 53 -j DROP

Network Segmentation

all

Isolate Aqara devices on separate VLAN with strict firewall rules

🧯 If You Can't Patch

Disconnect devices from internet and use local-only mode if supported
Replace vulnerable devices with patched alternatives from different vendors

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in Aqara app or web interface. If version matches affected list, device is vulnerable.

Check Version:

Check via Aqara mobile app: Device Settings > About > Firmware Version

Verify Fix Applied:

Verify firmware version has been updated beyond vulnerable versions listed.

📡 Detection & Monitoring

Log Indicators:

Unusual DNS queries from hub devices
Unexpected process execution logs
Failed authentication attempts from hub IP

Network Indicators:

DNS requests to suspicious domains from hub devices
Unexpected outbound connections from hub devices
Port scanning originating from hub IP

SIEM Query:

source="aqara_hub" AND (event_type="process_execution" OR dns_query="*;*" OR dns_query="*|*")

📊 Metadata

CVE ID: CVE-2025-65292

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/DNS-Command-Injection.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65292, you might also want to check these: