CVE-2025-56400 identifies a critical CSRF vulnerability in the OAuth implementation of the Tuya SDK version 6.5.0 for Android and iOS platforms. The flaw stems from the failure to properly validate the OAuth state parameter during the account linking process between Tuya accounts and Amazon Alexa accounts. OAuth state parameters are intended to prevent CSRF attacks by ensuring that authorization responses correspond to legitimate requests initiated by the user. However, in this case, the absence or improper validation allows an attacker to craft a malicious authorization link that, when clicked by a victim, completes the OAuth flow on the victim’s behalf without their explicit consent. This results in the attacker linking their own Alexa account to the victim’s Tuya account, thereby gaining unauthorized access to control IoT devices connected via Tuya’s platform. The vulnerability affects not only the official Tuya Smart and Smartlife applications but also any third-party applications integrating the vulnerable SDK. Exploitation requires no prior Alexa linkage and does not depend on the Tuya app being active at the time of attack, increasing the attack surface. The CVSS 3.1 score of 8.8 reflects the vulnerability’s network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact includes full compromise of confidentiality, integrity, and availability of the victim’s smart home devices, potentially allowing attackers to manipulate cameras, doorbells, door locks, and alarms remotely. Although no known exploits have been reported in the wild yet, the vulnerability’s nature and high severity make it a significant threat. The underlying CWEs are CWE-352 (Cross-Site Request Forgery) and CWE-384 (Session Fixation), both related to improper session and request validation. No patches or fixes are currently linked, indicating the need for urgent vendor response and user caution.

For European organizations, especially those in residential, hospitality, and facility management sectors that deploy Tuya-based IoT devices integrated with Amazon Alexa, this vulnerability poses a significant risk. Unauthorized access to smart home or building automation devices can lead to breaches of privacy, physical security risks (e.g., unauthorized door unlocking), and operational disruptions (e.g., disabling alarms). The ability to remotely control cameras and alarms could facilitate espionage or physical intrusion. Since the attack requires only user interaction via a crafted link, phishing campaigns targeting employees or residents could be effective. The vulnerability’s impact extends beyond individual users to organizations managing multiple IoT endpoints, potentially affecting data protection compliance under GDPR if personal data or security is compromised. The lack of requirement for the Tuya app to be active broadens the window of opportunity for attackers. The threat also undermines trust in smart home ecosystems, potentially affecting adoption and operational continuity in smart buildings across Europe.

Immediate mitigation should focus on user awareness and limiting exposure to phishing attempts by educating users not to click on suspicious authorization links. Organizations should audit their use of Tuya SDK 6.5.0 and identify all applications integrating it. Until a patch is released, consider disabling Alexa integration or unlinking Alexa accounts from Tuya accounts where feasible. Network-level controls such as web filtering to block known malicious URLs and monitoring for unusual OAuth authorization flows can help detect exploitation attempts. Developers and vendors should prioritize releasing an SDK update that properly validates the OAuth state parameter and implements anti-CSRF tokens robustly. Organizations should also implement multi-factor authentication (MFA) on Tuya and Alexa accounts to reduce the risk of unauthorized access. Regular security assessments of IoT device integrations and OAuth flows are recommended. Finally, monitoring device logs for unexpected linkage or control commands can provide early detection of exploitation.