Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65291

CVE-2025-65291: Aqara Hub M2 Information Disclosure Flaw

CVE-2025-65291 is an information disclosure vulnerability in Aqara Hub M2 Firmware caused by improper TLS certificate validation. This flaw enables man-in-the-middle attacks on device communications. Learn about technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-65291 Overview

CVE-2025-65291 is a certificate validation bypass vulnerability affecting multiple Aqara smart home hub devices. The affected devices fail to properly validate server certificates in TLS connections for discovery services and CoAP (Constrained Application Protocol) gateway communications. This improper certificate validation enables attackers to perform man-in-the-middle (MITM) attacks, potentially intercepting and manipulating device control commands and monitoring data.

Critical Impact

Attackers positioned on the network can intercept TLS communications between Aqara Hub devices and backend services, enabling unauthorized device control and surveillance data interception in smart home environments.

Affected Products

  • Aqara Hub M2 Firmware version 4.3.6_0027
  • Aqara Hub M3 Firmware version 4.3.6_0025
  • Aqara Camera Hub G3 Firmware version 4.1.9_0027

Discovery Timeline

  • 2025-12-10 - CVE-2025-65291 published to NVD
  • 2026-01-15 - Last updated in NVD database

Technical Details for CVE-2025-65291

Vulnerability Analysis

This vulnerability is classified under CWE-295 (Improper Certificate Validation), which occurs when software fails to properly verify that a certificate's origin and integrity are trustworthy. In the context of Aqara Hub devices, the firmware does not adequately validate the authenticity of server certificates when establishing TLS connections for discovery services and CoAP gateway communications.

The vulnerability requires network-level access, meaning an attacker must be able to intercept network traffic between the hub devices and their cloud services. While this adds complexity to exploitation, it is achievable in shared network environments, compromised routers, or through ARP spoofing attacks on local networks.

Root Cause

The root cause lies in the improper implementation of certificate validation within the Aqara Hub firmware. When the devices establish encrypted connections to backend services for device discovery and CoAP gateway communications, they fail to properly verify that the presented server certificate is signed by a trusted certificate authority, matches the expected hostname, or has not been revoked. This allows attackers to present self-signed or fraudulent certificates without triggering security warnings or connection failures.

Attack Vector

The attack requires a network-adjacent position where the attacker can intercept and modify traffic between Aqara Hub devices and their intended servers. An attacker would typically:

  1. Position themselves between the target device and its cloud services using techniques such as ARP spoofing, DNS hijacking, or compromised network infrastructure
  2. Present a fraudulent TLS certificate to the hub device when it attempts to connect to discovery or CoAP gateway services
  3. Because the hub does not validate the certificate properly, it accepts the fraudulent certificate and establishes the TLS connection with the attacker's system
  4. The attacker can then intercept, read, and modify all communications between the hub and legitimate services, including device control commands and monitoring data from connected sensors and cameras

The vulnerability is particularly concerning for Camera Hub G3 devices, as successful exploitation could allow interception of video surveillance data. For detailed technical information about this vulnerability, refer to the PoC documentation on GitHub.

Detection Methods for CVE-2025-65291

Indicators of Compromise

  • Unusual certificate warnings or errors in network logs related to Aqara device traffic
  • Detection of ARP spoofing or DNS poisoning attempts targeting smart home network segments
  • Unexpected connections from Aqara devices to non-standard IP addresses or domains
  • Modified or delayed responses to device control commands

Detection Strategies

  • Deploy network monitoring solutions capable of detecting man-in-the-middle attack patterns
  • Implement intrusion detection rules to identify certificate anomalies in IoT device traffic
  • Monitor for ARP cache poisoning attacks on networks containing Aqara devices
  • Analyze network traffic for connections to suspicious endpoints from hub device MAC addresses

Monitoring Recommendations

  • Segment IoT devices including Aqara hubs on isolated VLANs with strict traffic monitoring
  • Enable logging on network infrastructure to capture connection attempts and certificate exchanges
  • Deploy network-based anomaly detection focused on smart home device communication patterns
  • Regularly audit firmware versions across all Aqara devices in the environment

How to Mitigate CVE-2025-65291

Immediate Actions Required

  • Isolate affected Aqara Hub devices on a dedicated network segment with restricted access
  • Implement network-level protections against ARP spoofing and DNS hijacking
  • Monitor for firmware updates from Aqara that address this certificate validation issue
  • Review and audit any automations or integrations that rely on these hub devices

Patch Information

At the time of this advisory, no vendor patch information is available in the CVE data. Organizations should monitor Aqara's official channels for firmware updates that address this certificate validation vulnerability. The affected firmware versions are Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027.

Workarounds

  • Deploy affected devices on isolated network segments with no direct internet access where possible
  • Use enterprise-grade network equipment with dynamic ARP inspection (DAI) and DHCP snooping enabled
  • Consider using a VPN or encrypted tunnel for hub communications if technically feasible
  • Implement strict firewall rules limiting hub device communications to known Aqara service endpoints
bash
# Network isolation example - create dedicated IoT VLAN
# This example shows basic VLAN configuration concepts

# On managed switch, create IoT VLAN
vlan 100
  name IoT_Devices
  
# Enable dynamic ARP inspection on IoT VLAN
ip arp inspection vlan 100

# Enable DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 100

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.