PT-2025-50535 · Aqara · Aqara Hub M2+2
Chapoly1305
·
Published
2025-12-10
·
Updated
2025-12-14
·
CVE-2025-65290
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Aqara Camera Hub G3 version 4.1.9 0027
Aqara Hub M2 version 4.3.6 0027
Aqara Hub M3 version 4.3.6 0025
Description
Aqara Hub devices do not properly validate server certificates when downloading firmware updates over HTTPS. This allows attackers positioned between the device and the update server to intercept the communication and potentially replace legitimate firmware with malicious versions.
Recommendations
Update Aqara Camera Hub G3 to a version newer than 4.1.9 0027.
Update Aqara Hub M2 to a version newer than 4.3.6 0027.
Update Aqara Hub M3 to a version newer than 4.3.6 0025.
Exploit
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aqara Camera Hub G3
Aqara Hub M2
Aqara Hub M3