CVE-2025-65297 Overview
CVE-2025-65297 affects multiple Aqara smart home hub devices, including the Camera Hub G3, Hub M2, and Hub M3. The devices automatically collect and upload sensitive information to remote servers without encryption. The data transmission occurs without disclosure to or consent from device owners.
The vulnerability falls under [CWE-5] and exposes confidential user data over network channels. Because the data is transmitted unencrypted, network-positioned attackers can intercept and harvest the information passively. The issue affects firmware versions 4.1.9_0027 (Camera Hub G3), 4.3.6_0027 (Hub M2), and 4.3.6_0025 (Hub M3).
Critical Impact
Sensitive telemetry and user data leave affected Aqara hubs in cleartext, exposing households to passive interception and unauthorized data collection.
Affected Products
- Aqara Camera Hub G3 firmware 4.1.9_0027
- Aqara Hub M2 firmware 4.3.6_0027
- Aqara Hub M3 firmware 4.3.6_0025
Discovery Timeline
- 2025-12-10 - CVE-2025-65297 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-65297
Vulnerability Analysis
The affected Aqara hubs initiate outbound network traffic that carries sensitive device and user information in cleartext. The behavior is not documented in the product privacy disclosures, and users have no opportunity to opt out. This combines two distinct weaknesses: missing encryption for sensitive data in transit and undisclosed data collection.
Because the transmissions traverse the local network and potentially upstream Internet links, anyone with access to the path can read the payloads. Smart home hubs typically aggregate telemetry from connected sensors, cameras, and door locks, so the leaked data can reveal occupancy patterns, device inventories, and routines. The vulnerability requires no authentication or user interaction to exploit at the observation layer.
Root Cause
The root cause is a design decision in the hub firmware to transmit operational telemetry over unencrypted channels. The firmware lacks Transport Layer Security (TLS) or equivalent encryption for these specific upload endpoints. Compounding the technical flaw, the manufacturer did not disclose the collection behavior, removing the consent control that might otherwise inform user risk decisions.
Attack Vector
An attacker on the same Wi-Fi network, an upstream Internet Service Provider (ISP), or any intermediary network device can passively capture the cleartext uploads. Active attackers in a man-in-the-middle (MITM) position can also modify the traffic, since no integrity protection is present. Exploitation does not require credentials or physical access to the device.
No public exploit code is required because the vulnerability is observable through standard packet capture. See the GitHub CVE Report for technical details on the captured traffic.
Detection Methods for CVE-2025-65297
Indicators of Compromise
- Outbound HTTP traffic originating from Aqara hub MAC address ranges carrying device identifiers, sensor state, or account metadata.
- Cleartext payloads on ports such as 80 or non-standard high ports from hub IP addresses to cloud endpoints.
- DNS queries from hub devices resolving to Aqara telemetry domains followed by unencrypted POST requests.
Detection Strategies
- Inspect network flows from Internet of Things (IoT) VLANs for unencrypted HTTP traffic carrying JSON payloads with device serial numbers or user identifiers.
- Use a network sensor or Network Detection and Response (NDR) tool to flag any plaintext upload from known smart home hub vendor MAC prefixes.
- Correlate hub firmware versions discovered via passive fingerprinting with the affected version list above.
Monitoring Recommendations
- Place Aqara hubs on an isolated VLAN and log all outbound flows for review.
- Alert on any HTTP POST requests from hub devices to external destinations.
- Capture and periodically review packet samples to confirm whether sensitive fields appear in cleartext.
How to Mitigate CVE-2025-65297
Immediate Actions Required
- Segment affected Aqara hubs onto a restricted IoT network with no access to corporate or sensitive resources.
- Block outbound traffic from the hubs to non-essential destinations at the firewall.
- Inventory all Aqara Camera Hub G3, Hub M2, and Hub M3 devices and record their firmware versions.
Patch Information
No vendor advisory or patched firmware version has been published in the referenced data at the time of writing. Monitor Aqara support channels for firmware updates that address the unauthorized data upload behavior, and apply them once available. Refer to the GitHub CVE Report for the latest researcher notes.
Workarounds
- Restrict the hubs to LAN-only operation where feasible by blocking outbound Internet access at the gateway.
- Route hub traffic through a Virtual Private Network (VPN) tunnel to limit exposure on untrusted upstream networks.
- Disable or remove the affected hubs from environments handling sensitive activity until patched firmware is released.
# Configuration example: block outbound Internet for an Aqara hub by MAC on Linux/iptables
iptables -I FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -o eth0 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
