Cleartext AES Key Transmission in Sight Bulb Pro by Smart Home Vendor
CVE-2025-6521

6.8MEDIUM

Key Information:

Vendor: Trendmakers
Status: Sight Bulb Pro Firmware Zj Cg32-2201
Vendor: CVE Published:; 27 June 2025

🔔 Create Trendmakers Vulnerability Alert

What is CVE-2025-6521?

During the initial device setup, the Sight Bulb Pro broadcasts an access point that connects users for configuration. In this process, AES encryption keys are transmitted in cleartext, leaving them susceptible to interception. If these keys are captured by an attacker, they could decrypt communications between the Sight Bulb Pro management app and the device, potentially exposing sensitive information, including network credentials. This vulnerability highlights the importance of securing encryption key exchanges to safeguard user data and maintain overall network integrity.

Affected Version(s)

Sight Bulb Pro Firmware ZJ_CG32-2201 0 <= 8.57.83

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

https://www.trendmakerscares.com/Customer-Service-Hours

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 23, 2025

Credit

Fahim Balouch reported these vulnerabilities to CISA.