Colin O’Flynn

**Name of the Vulnerable Software and Affected Versions** Philips Hue Bridge model 2.X prior to and including version 1935144020 **Description** The issue is related to a Heap-based Buffer Overflow that occurs when handling a long ZCL string during the commissioning phase, resulting in remote code execution. This can be exploited using a malicious ZigBee lightbulb to infiltrate a home IoT network. The flaw could allow remote attackers to gain access to the entire WiFi network over-the-air without cracking the password and launch further attacks against other devices connected to the same network. **Recommendations** For Philips Hue Bridge model 2.X prior to and including version 1935144020, update to a version later than 1935144020 to resolve the issue. As a temporary workaround, consider restricting access to the commissioning phase to minimize the risk of exploitation. Avoid using the vulnerable Philips Hue Bridge until the issue is resolved.