Fahim Balouch

Name of the Vulnerable Software and Affected Versions: TrendMakers Sight Bulb Pro (affected versions not specified) Description: The issue arises during the initial setup of the device, where the user connects to an access point broadcast by the Sight Bulb Pro. During this negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro, which may include sensitive information such as network credentials. There have been reports of trivial shell command execution with zero mitigations, allowing for root access via LAN. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sight Bulb Pro (affected versions not specified) Description: The issue allows unauthenticated users on an adjacent network to run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This enables an attacker to execute arbitrary commands on the Sight Bulb Pro by passing a well-formed JSON string. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.