CVE-2025-65297 – Aqara Hub devices automatically collect and upl... (How to Fix)

Q: What is the severity of CVE-2025-65297?

CVE-2025-65297 has a CVSS score of 7.5 (HIGH). Aqara Hub devices automatically collect and upload unencrypted sensitive information without user consent or manufacturer disclosure. This vulnerability allows unauthorized data exfiltration affecting users of Camera Hub G3, Hub M2, and Hub M3 devices.

📋 TL;DR

Aqara Hub devices automatically collect and upload unencrypted sensitive information without user consent or manufacturer disclosure. This vulnerability allows unauthorized data exfiltration affecting users of Camera Hub G3, Hub M2, and Hub M3 devices.

💻 Affected Systems

Products:

Aqara Camera Hub G3
Aqara Hub M2
Aqara Hub M3

Versions: Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, Hub M3 4.3.6_0025

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with default configurations are vulnerable as the data collection occurs automatically without user configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all sensitive data collected by the devices including video feeds, device metadata, and network information being transmitted to unauthorized third parties.

🟠

Likely Case

Persistent collection and transmission of personal data including device usage patterns, network configurations, and potentially video/audio data without user knowledge.

🟢

If Mitigated

Limited data exposure if devices are isolated from sensitive networks and internet access is restricted.

🌐 Internet-Facing: HIGH - Devices typically connect to cloud services and the internet, making data transmission easily interceptable.

🏢 Internal Only: MEDIUM - Even on internal networks, unencrypted data transmission creates risk from internal threats or compromised devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and data collection occurs automatically. Public GitHub repository contains detailed analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor Aqara security advisories for updates.

🔧 Temporary Workarounds

Network Isolation

all

Place Aqara Hub devices on isolated VLAN with restricted internet access

Firewall Rules

all

Block all outbound traffic from Aqara devices except essential cloud services

🧯 If You Can't Patch

Disconnect devices from internet entirely and use only locally
Replace affected devices with alternative products from different vendors

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in Aqara app: Settings > About > Firmware Version

Check Version:

Not applicable - check via Aqara mobile application interface

Verify Fix Applied:

Monitor network traffic from devices to confirm no unencrypted sensitive data transmission

📡 Detection & Monitoring

Log Indicators:

Unusual outbound data transfers from IoT devices
Large volumes of data sent to unknown external IPs

Network Indicators:

Unencrypted HTTP traffic from Aqara devices containing sensitive data
Regular data uploads to cloud endpoints

SIEM Query:

source_ip IN (aqara_device_ips) AND protocol = 'http' AND (payload_contains 'sensitive' OR size > 1MB)

📊 Metadata

CVE ID: CVE-2025-65297

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-5

EPSS Score: 0.02% exploit probability (4.3th percentile)

Published: December 10, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Unauthorized-Data-Upload.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65297, you might also want to check these: