Cyber Posture

CVE-2025-65294

CriticalPublic PoC

Published: 10 December 2025

Published
10 December 2025
Modified
17 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0104 77.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-17 Remote Access good match
prevent

AC-17 mandates protection of remote access mechanisms with authentication and encryption, directly preventing exploitation of the undocumented remote command execution.

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of all inputs to prevent code injection vulnerabilities like CWE-94 enabling arbitrary command execution.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 prohibits or strictly controls actions without authentication, eliminating unrestricted remote command execution on affected devices.

Security SummaryAI

CVE-2025-65294 is a critical vulnerability affecting Aqara Hub devices, specifically Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. The flaw stems from an undocumented remote access mechanism that allows unrestricted remote command execution, classified under CWE-94 (code injection). It carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

The vulnerability enables remote attackers with network access to the affected devices to execute arbitrary commands without authentication. Exploitation grants high-impact confidentiality, integrity, and availability compromise, potentially allowing full device takeover, data exfiltration, or further network pivoting from the compromised IoT hub.

Detailed technical analysis and potential mitigations are documented in researcher reports at the provided references: https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md and https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md. Security practitioners should review these for device-specific workarounds until official patches are released by Aqara.

Details

CWE(s)
CWE-94

Affected Products

aqara
hub m2 firmware
4.3.6_0027
aqara
hub m3 firmware
4.3.6_0025
aqara
camera hub g3 firmware
4.1.9_0027

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Undocumented remote access mechanism enables unrestricted remote command execution on Aqara Hub devices, facilitating exploitation of public-facing applications and remote services.

References