CVE-2025-65295 Overview
CVE-2025-65295 describes multiple vulnerabilities in the Over-the-Air (OTA) firmware update process used by Aqara smart home hubs. The affected devices include the Camera Hub G3 running firmware 4.1.9_0027, Hub M2 running 4.3.6_0027, and Hub M3 running 4.3.6_0025. The devices fail to validate firmware signatures during updates, rely on outdated cryptographic primitives that allow signature forgery, and disclose information through improperly initialized memory. Successful exploitation lets an attacker install malicious firmware on the targeted hub, gaining persistent control over the device and any connected smart home accessories.
Critical Impact
Attackers can install unsigned or forged firmware on Aqara hubs, leading to persistent device compromise across the smart home ecosystem.
Affected Products
- Aqara Camera Hub G3 firmware 4.1.9_0027
- Aqara Hub M2 firmware 4.3.6_0027
- Aqara Hub M3 firmware 4.3.6_0025
Discovery Timeline
- 2025-12-10 - CVE-2025-65295 published to NVD
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2025-65295
Vulnerability Analysis
The advisory describes three related weaknesses in the firmware update pipeline of the Aqara Camera Hub G3, Hub M2, and Hub M3. First, the device does not properly verify the digital signature of firmware images before applying them. Second, signature handling relies on outdated cryptographic methods that can be exploited to forge a valid signature for attacker-controlled firmware. Third, the update logic exposes information through improperly initialized memory regions. The combined effect maps to [CWE-326] (Inadequate Encryption Strength) and gives a network-based attacker who can intercept or supply OTA payloads the ability to load malicious firmware on the hub.
Root Cause
The root cause is reliance on weak cryptographic verification in the OTA process. The update routine accepts firmware images without enforcing a strong signature check, and the cryptographic algorithm in use is sufficiently weak that valid-looking signatures can be produced by an attacker. Improper memory initialization in the update handler further leaks data that aids exploitation. According to the public report, these issues affect the entire firmware update path rather than a single component.
Attack Vector
The vulnerability is exploited over the network through the firmware update channel. An attacker positioned to deliver or intercept OTA traffic, for example through DNS hijacking or a man-in-the-middle on the local network, can supply a crafted firmware image. Because signatures are not validated correctly, the hub installs the malicious image and reboots into attacker-controlled code. The published CWE classification and external GitHub report do not include verified exploit code.
No verified proof-of-concept code is available in the referenced advisory. For technical details, see the GitHub CVE Report by Chapoly1305.
Detection Methods for CVE-2025-65295
Indicators of Compromise
- Unexpected firmware version strings reported by Aqara Camera Hub G3, Hub M2, or Hub M3 devices that do not match official Aqara release notes.
- OTA download requests from hubs to hosts other than official Aqara update endpoints.
- Unscheduled reboots of Aqara hubs followed by changes in device behavior, network traffic patterns, or paired accessory state.
Detection Strategies
- Inspect outbound traffic from IoT VLANs for HTTP or HTTPS firmware downloads that deviate from baseline Aqara update destinations.
- Capture and review TLS SNI and DNS queries from hub devices to identify redirection to attacker-controlled update servers.
- Compare firmware version telemetry across a fleet of hubs to flag devices running unofficial or downgraded versions.
Monitoring Recommendations
- Place Aqara hubs on a segmented IoT network and log all egress traffic for retrospective analysis.
- Alert on ARP spoofing, rogue DHCP, or DNS manipulation events on networks hosting smart home hubs, since these enable OTA interception.
- Track device uptime and reboot events to correlate suspicious firmware update activity with subsequent behavioral changes.
How to Mitigate CVE-2025-65295
Immediate Actions Required
- Inventory all Aqara Camera Hub G3, Hub M2, and Hub M3 devices and record their current firmware versions.
- Isolate affected hubs on a dedicated VLAN with strict egress filtering until a vendor-supplied fix is confirmed.
- Block hub access to arbitrary internet destinations and restrict outbound traffic to known Aqara update infrastructure.
Patch Information
No vendor advisory or patched firmware version is listed in the NVD entry at the time of publication. Administrators should monitor Aqara support channels for updated firmware that addresses signature verification, replaces the weak cryptographic method, and corrects the memory initialization defect. Track the GitHub CVE Report for vendor response updates.
Workarounds
- Disable automatic OTA updates where the hub configuration permits and apply firmware manually after validating authenticity.
- Enforce DNS filtering and certificate pinning at the network perimeter to prevent redirection of update traffic.
- Consider removing affected hubs from sensitive environments such as offices handling confidential meetings, since the integrated camera and microphone become high-value targets after compromise.
# Example: restrict an Aqara hub to vendor update endpoints only
# Replace 192.0.2.50 with the hub IP and adjust the allowed FQDN list
iptables -I FORWARD -s 192.0.2.50 -j DROP
iptables -I FORWARD -s 192.0.2.50 -d aiot-ota.aqara.com -j ACCEPT
iptables -I FORWARD -s 192.0.2.50 -p udp --dport 53 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
