CVE-2020-6007

Name of the Vulnerable Software and Affected Versions Philips Hue Bridge model 2.X prior to and including version 1935144020

Description The issue is related to a Heap-based Buffer Overflow that occurs when handling a long ZCL string during the commissioning phase, resulting in remote code execution. This can be exploited using a malicious ZigBee lightbulb to infiltrate a home IoT network. The flaw could allow remote attackers to gain access to the entire WiFi network over-the-air without cracking the password and launch further attacks against other devices connected to the same network.

Recommendations For Philips Hue Bridge model 2.X prior to and including version 1935144020, update to a version later than 1935144020 to resolve the issue. As a temporary workaround, consider restricting access to the commissioning phase to minimize the risk of exploitation. Avoid using the vulnerable Philips Hue Bridge until the issue is resolved.