Login Sign Up

CVE-2025-65293

6.6 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Aqara Camera Hub G3 devices that allows attackers to execute arbitrary commands with root privileges by scanning malicious QR codes during device setup or factory reset. This affects users of Aqara Camera Hub G3 devices who perform setup or reset procedures. Attackers can gain complete control of the device through this physical access vector.

💻 Affected Systems

Products:
  • Aqara Camera Hub G3
Versions: 4.1.9_0027
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configuration during setup/reset procedures.

📦 What is this software?

Camera Hub G3 Firmware by Aqara

View all CVEs affecting Camera Hub G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent root access, data exfiltration, lateral movement in the network, and use as a pivot point for further attacks.

🟠

Likely Case

Local attacker gains root access to the camera hub, potentially compromising connected cameras and accessing video feeds or network credentials.

🟢

If Mitigated

Limited impact if QR code scanning is restricted to trusted sources and physical access is controlled.

🌐 Internet-Facing: LOW - Exploitation requires physical access to scan QR codes, not remote network access.
🏢 Internal Only: MEDIUM - Physical access to device during setup/reset could allow compromise within secured premises.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires physical access to scan malicious QR code during setup/reset. Public GitHub repository contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check Aqara official website or support channels for firmware updates addressing CVE-2025-65293. No official patch information available at this time.

🔧 Temporary Workarounds

Physical Access Control

all

Restrict physical access to devices during setup and factory reset procedures

QR Code Source Verification

all

Only use QR codes from trusted official sources during device setup

🧯 If You Can't Patch

  • Isolate affected devices on separate network segments
  • Monitor for unusual network activity from camera hub devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in Aqara app or web interface. If version is 4.1.9_0027, device is vulnerable.

Check Version:

Check via Aqara mobile app: Device Settings > About > Firmware Version

Verify Fix Applied:

Verify firmware version has been updated beyond 4.1.9_0027 through official Aqara update channels.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution during setup process
  • QR code scanning errors with suspicious payloads

Network Indicators:

  • Unexpected outbound connections from camera hub
  • Unusual network traffic patterns post-setup

SIEM Query:

Search for process execution events containing shell commands from camera hub setup processes

📊 Metadata

CVE ID: CVE-2025-65293
CVSS v3 Score: 6.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.07% exploit probability (21.9th percentile)
Published: December 10, 2025
Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65293, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)