TLS Certificate Validation Flaw in Aqara Hub Products
CVE-2025-65291

7.4HIGH

Key Information:

Vendor

Aqara

Status
Aqara Hub
Vendor
CVE Published:
10 December 2025

What is CVE-2025-65291?

Aqara Hub devices, including the Hub M2, Hub M3, and Camera Hub G3, exhibit a significant vulnerability wherein they fail to properly validate server certificates during TLS connections, particularly for discovery services and CoAP gateway communications. This oversight potentially allows attackers to exploit man-in-the-middle scenarios, gaining unauthorized control and access to device monitoring functionalities. As a result, safeguarding the integrity of communications is crucial for users of these vulnerable devices.

References

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqa...

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.