CVE-2025-65296 – A NULL-pointer dereference vulnerability in Aqa... (How to Fix)

📋 TL;DR

A NULL-pointer dereference vulnerability in Aqara smart home hubs allows attackers to cause denial-of-service by sending malformed JSON inputs. This affects Aqara Hub M2, Hub M3, and Camera Hub G3 devices running specific vulnerable firmware versions. The vulnerability can crash the device's JSON processing functionality.

💻 Affected Systems

Products:

Aqara Hub M2
Aqara Hub M3
Aqara Camera Hub G3

Versions: Hub M2: 4.3.6_0027, Hub M3: 4.3.6_0025, Camera Hub G3: 4.1.9_0027

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the specified firmware versions are vulnerable in default configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Device becomes completely unresponsive, requiring physical restart or factory reset, disrupting all connected smart home devices and services.

🟠

Likely Case

Temporary service disruption affecting specific JSON-dependent functions until device automatically restarts or requires manual intervention.

🟢

If Mitigated

Minimal impact with proper network segmentation and input validation in place, potentially causing only isolated service interruptions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the device but no authentication. The GitHub reference contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Aqara official website/app for firmware updates
2. If update available, apply through Aqara app
3. Monitor for vendor security advisory

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Aqara hubs from untrusted networks and internet exposure

Firewall Rules

linux

Restrict network access to Aqara hubs to only trusted IP addresses

iptables -A INPUT -s [TRUSTED_IP] -p tcp --dport [HUB_PORT] -j ACCEPT
iptables -A INPUT -p tcp --dport [HUB_PORT] -j DROP

🧯 If You Can't Patch

Segment network to isolate Aqara devices from untrusted traffic
Implement network monitoring for malformed JSON payloads targeting hub devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in Aqara app: Settings > About > Firmware Version

Check Version:

Check via Aqara mobile app interface only

Verify Fix Applied:

Verify firmware version has been updated beyond vulnerable versions listed

📡 Detection & Monitoring

Log Indicators:

Device crash/restart logs
JSON parsing errors
Unexpected service termination

Network Indicators:

Malformed JSON payloads sent to hub ports
Unusual traffic patterns to hub management interfaces

SIEM Query:

source="aqara_hub" AND (event="crash" OR event="restart" OR message="*JSON*error*")

📊 Metadata

CVE ID: CVE-2025-65296

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/JSON-NULL-Dereference.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65296, you might also want to check these: