PT-2025-27247 · Trendmakers · Trendmakers Sight Bulb Pro
Fahim Balouch
·
Published
2025-06-27
·
Updated
2025-06-27
·
CVE-2025-6521
CVSS v3.1
7.6
High
| Vector | AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
TrendMakers Sight Bulb Pro (affected versions not specified)
Description:
The issue arises during the initial setup of the device, where the user connects to an access point broadcast by the Sight Bulb Pro. During this negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro, which may include sensitive information such as network credentials. There have been reports of trivial shell command execution with zero mitigations, allowing for root access via LAN.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Use of a Broken Cryptographic Algorithm
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Trendmakers Sight Bulb Pro