216.73.217.64

CVE-2025-65290

· Published 10/12/2025 22:16 · Modified 17/12/2025 19:55

Labels: CVE-2025-65290 2025-12-10CVE-2025-65290CWE-295[email protected]

Essential information

Published
10/12/2025 22:16
Modified
17/12/2025 19:55
Author
Creator
CVSS
7.4 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially serve modified firmware files.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
aqara / hub m2 firmware cpe:2.3:o:aqara:hub_m2_firmware:4.3.6_0027:*:*:*:*:*:*:*
aqara / hub m2 cpe:2.3:h:aqara:hub_m2:-:*:*:*:*:*:*:*
aqara / hub m3 firmware cpe:2.3:o:aqara:hub_m3_firmware:4.3.6_0025:*:*:*:*:*:*:*
aqara / hub m3 cpe:2.3:h:aqara:hub_m3:-:*:*:*:*:*:*:*
aqara / camera hub g3 firmware cpe:2.3:o:aqara:camera_hub_g3_firmware:4.1.9_0027:*:*:*:*:*:*:*
aqara / camera hub g3 cpe:2.3:h:aqara:camera_hub_g3:-:*:*:*:*:*:*:*

References