CVE-2025-65291 is a vulnerability identified in Aqara Hub devices, specifically the Hub M2 (version 4.3.6_0027), Hub M3 (4.3.6_0025), and Camera Hub G3 (4.1.9_0027). The root cause is the failure of these devices to validate server certificates properly during TLS connections used for discovery services and CoAP (Constrained Application Protocol) gateway communications. This improper validation violates secure TLS handshake protocols, allowing an attacker positioned on the network path to perform man-in-the-middle (MitM) attacks. Through such MitM attacks, adversaries can intercept, modify, or inject malicious commands and data, compromising the confidentiality and integrity of device control and monitoring functions. The vulnerability does not affect availability directly, but the compromise of control channels can lead to unauthorized device manipulation. The CVSS v3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates a network attack vector with high impact on confidentiality and integrity, requiring high attack complexity but no privileges or user interaction. No patches or known exploits are currently reported, but the risk remains significant given the widespread use of Aqara smart home hubs in residential and commercial environments. The vulnerability is classified under CWE-295, which relates to improper certificate validation, a common issue that undermines TLS security guarantees.

For European organizations, especially those deploying Aqara smart home or IoT devices for building automation, security monitoring, or employee convenience, this vulnerability poses a serious risk. Successful exploitation could allow attackers to intercept sensitive data streams, manipulate device states, or disable monitoring functions, potentially leading to unauthorized physical access or privacy breaches. Since these hubs often integrate with broader smart building systems, the compromise could cascade, affecting other connected devices or services. The impact is heightened in environments with lax network segmentation or where these devices are accessible from less secure network zones. Privacy regulations such as GDPR also increase the stakes, as interception of personal data via compromised devices could lead to regulatory penalties. The lack of known exploits suggests a window for proactive mitigation, but the high CVSS score demands urgent attention to prevent future attacks.

1. Immediately isolate Aqara Hub devices on dedicated VLANs or network segments with strict access controls to limit exposure to untrusted networks. 2. Disable any remote or cloud-based access features until patches or firmware updates are available. 3. Monitor network traffic for unusual TLS handshake failures or unexpected CoAP communications that may indicate MitM attempts. 4. Engage with Aqara or device vendors to obtain firmware updates that properly validate TLS certificates and apply them promptly. 5. Implement network-level TLS inspection and certificate pinning where feasible to detect and block invalid certificates. 6. Educate users and administrators about the risks of connecting these devices to public or unsecured Wi-Fi networks. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalies in IoT device communications. 8. Maintain an inventory of all Aqara devices and their firmware versions to track vulnerable assets effectively.