CVE-2025-65297: Aqara Hub M2 Information Disclosure Flaw

CVE-2025-65297 Overview

CVE-2025-65297 is a sensitive data exposure vulnerability affecting multiple Aqara smart home hub devices. The vulnerability involves the automatic collection and transmission of unencrypted sensitive information from affected devices to remote servers without proper disclosure or user consent from the manufacturer. This represents a significant privacy concern for users of these IoT devices, as personal data may be exfiltrated without the user's knowledge.

Critical Impact

Affected Aqara Hub devices automatically upload unencrypted sensitive information to external servers without user consent, potentially exposing private smart home data and user information to unauthorized parties.

Affected Products

• Aqara Camera Hub G3 (Firmware version 4.1.9_0027)
• Aqara Hub M2 (Firmware version 4.3.6_0027)
• Aqara Hub M3 (Firmware version 4.3.6_0025)

Discovery Timeline

• 2025-12-10 - CVE-2025-65297 published to NVD
• 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-65297

Vulnerability Analysis

This vulnerability falls under CWE-5 (J2EE Misconfiguration: Data Transmission Without Encryption), though in this IoT context it manifests as unauthorized collection and transmission of sensitive data. The affected Aqara Hub devices transmit data over the network without encryption, making it susceptible to interception. More critically, this data collection occurs without proper disclosure to users, creating a significant privacy breach.

The vulnerability allows attackers with network access to potentially intercept sensitive information being transmitted from these smart home hubs. Since the transmission occurs without encryption, any attacker capable of monitoring network traffic could capture this data.

Root Cause

The root cause of this vulnerability is twofold: first, the devices implement data collection functionality without proper encryption mechanisms to protect the transmitted information; second, this data collection occurs without transparent disclosure to users or obtaining proper consent. This represents both a technical security failure and a privacy compliance issue, as users are unaware that their device data is being automatically uploaded.

Attack Vector

The attack vector for this vulnerability is network-based. An attacker positioned on the same network segment or with the ability to intercept network traffic between the Aqara Hub devices and their destination servers can capture the unencrypted sensitive information. This could be accomplished through:

• Man-in-the-middle attacks on the local network
• Compromised network infrastructure between the device and cloud servers
• Network traffic monitoring at any hop along the transmission path

Since no authentication is required and no user interaction is needed for exploitation, the vulnerability is relatively straightforward to exploit for attackers with appropriate network positioning. The data is transmitted automatically by the device, meaning passive monitoring alone is sufficient to capture sensitive information.

Detection Methods for CVE-2025-65297

Indicators of Compromise

• Unexpected outbound network connections from Aqara Hub devices to unknown external IP addresses
• Unencrypted HTTP traffic originating from smart home hub devices
• Large volumes of data being transmitted from IoT devices during periods of inactivity
• Network traffic analysis revealing plaintext sensitive information in packet captures

Detection Strategies

• Deploy network monitoring tools to inspect traffic from IoT devices, specifically looking for unencrypted transmissions
• Implement deep packet inspection at the network perimeter to identify sensitive data being transmitted in cleartext
• Use IoT security monitoring solutions to establish baseline behavior and alert on anomalous data exfiltration patterns
• Configure firewall logging to track all outbound connections from Aqara Hub device IP addresses

Monitoring Recommendations

• Segment IoT devices including Aqara Hubs onto isolated network VLANs with strict egress filtering
• Enable flow logging and traffic analysis for all IoT network segments
• Deploy SentinelOne Singularity platform with network visibility capabilities to monitor for suspicious IoT device behavior
• Regularly review network logs for unexpected data transmissions from smart home devices

How to Mitigate CVE-2025-65297

Immediate Actions Required

• Isolate affected Aqara Hub devices onto a dedicated VLAN with restricted internet access
• Implement firewall rules to block or limit outbound traffic from affected devices to only necessary destinations
• Monitor network traffic from these devices to understand what data is being transmitted
• Consider disconnecting devices from the network until a firmware update addressing this issue is available

Patch Information

As of the last update on 2025-12-19, no vendor patch has been publicly announced by Aqara to address this vulnerability. Users should monitor the GitHub Unauthorized Data Upload Report and Aqara's official channels for updates. Contact Aqara support directly to inquire about firmware updates addressing unauthorized data collection and encryption of transmitted data.

Workarounds

• Deploy network-level encryption such as a VPN for all IoT device traffic to protect data in transit
• Use firewall rules to restrict Aqara Hub devices to communicate only with known, trusted IP addresses
• Consider using a Pi-hole or similar DNS filtering solution to block telemetry endpoints
• Implement network segmentation to isolate smart home devices from sensitive network resources

# Example firewall configuration to restrict Aqara Hub traffic
# Replace AQARA_HUB_IP with your device's IP address

# Block all outbound traffic from Aqara Hub by default
iptables -A FORWARD -s AQARA_HUB_IP -j DROP

# Allow only essential local network communication
iptables -I FORWARD -s AQARA_HUB_IP -d 192.168.0.0/16 -j ACCEPT

# Log blocked connection attempts for monitoring
iptables -I FORWARD -s AQARA_HUB_IP -j LOG --log-prefix "AQARA_BLOCKED: "