CVE-2025-10693 is a vulnerability classified under CWE-757 (Selection of Less-Secure Algorithm During Negotiation, also known as an algorithm downgrade attack) found in Silicon Labs' Z-Wave SDK, specifically version 2025.6.0. The issue arises during the SmartStart Inclusion process of Z-Wave PIR sensors, where a failure in onboarding causes the sensor to join the Z-Wave network as a non-secure device rather than using secure communication protocols. This downgrade from secure to non-secure communication effectively bypasses the cryptographic protections intended to safeguard the network and its devices. The vulnerability stems from the SDK's reference design for the PIR sensor, which does not enforce fallback to secure algorithms or abort the inclusion process upon failure, allowing an attacker to exploit this behavior. The attack vector is network-based, requiring no prior authentication but necessitating user interaction during device onboarding. The CVSS 4.0 score of 7.6 reflects high severity, with significant impacts on confidentiality and integrity, as attackers could intercept or manipulate sensor data or commands. Availability impact is low, and there is no scope change beyond the vulnerable component. No public exploits have been reported yet, but the vulnerability poses a substantial risk to IoT environments relying on Z-Wave technology for security and automation. The flaw highlights the importance of robust secure onboarding mechanisms in IoT device ecosystems.

For European organizations, especially those deploying smart home, building automation, or industrial IoT solutions using Silicon Labs Z-Wave devices, this vulnerability could lead to unauthorized access to sensor data and control commands. Compromised PIR sensors could allow attackers to bypass security controls, potentially facilitating further lateral movement within networks or triggering false alarms and disabling security systems. The confidentiality of sensor data is at high risk, which may include presence detection or environmental monitoring information. Integrity is also severely impacted as attackers could inject malicious commands or spoof sensor readings. Although availability impact is low, the overall trustworthiness of the IoT environment is undermined. This could have regulatory implications under GDPR if personal data is exposed or manipulated. Organizations relying on Z-Wave for critical security functions may face operational disruptions or reputational damage. The lack of known exploits currently provides a window for proactive mitigation, but the widespread use of Z-Wave in European smart buildings and homes increases the potential attack surface.

1. Immediately audit all Z-Wave PIR sensors and related devices to identify those running the vulnerable SDK version 2025.6.0 or 2025.6.1. 2. Engage with Silicon Labs or device vendors for patches or updated SDK versions that address the SmartStart Inclusion failure and enforce secure onboarding. 3. Implement strict monitoring of device onboarding processes to detect and alert on any failures or non-secure device joins. 4. Enforce network segmentation to isolate IoT devices from critical infrastructure and sensitive data networks. 5. Disable or restrict SmartStart Inclusion where possible until patches are applied, or require manual secure inclusion procedures. 6. Educate users and administrators on the risks of insecure device onboarding and the importance of verifying device security status post-inclusion. 7. Employ network-level intrusion detection systems tuned to detect anomalous Z-Wave traffic patterns indicative of downgrade or unauthorized device behavior. 8. Maintain an inventory of all Z-Wave devices and their firmware versions to facilitate timely updates and vulnerability management. 9. Consider alternative secure IoT protocols or devices if patching is delayed or unsupported. 10. Review and update incident response plans to include IoT-specific attack scenarios involving algorithm downgrade vulnerabilities.