CVE-2025-65292 is a command injection vulnerability identified in multiple Aqara Hub devices, specifically the Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. The vulnerability stems from improper sanitization of domain name inputs, which allows an attacker to inject arbitrary shell commands. When a malicious domain name is processed by the device, the injected commands execute with root privileges, granting full control over the device. The attack vector requires local access (AV:L) and low attack complexity (AC:L), with some user interaction (UI:R) necessary, such as triggering the device to resolve or interact with the malicious domain. The vulnerability affects confidentiality, integrity, and availability (all rated high), as an attacker can exfiltrate sensitive data, modify device behavior, or disrupt services. Although no known exploits are currently reported in the wild, the vulnerability’s nature and root-level execution potential make it a critical concern for IoT security. The lack of available patches at the time of publication increases the urgency for defensive measures. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), a common and dangerous injection flaw. Given the widespread use of Aqara hubs in smart home environments, this vulnerability could be leveraged for lateral movement or as a foothold in larger network attacks.

For European organizations, the impact of CVE-2025-65292 can be significant, especially for those integrating Aqara smart hubs into their IoT infrastructure or smart building management systems. Successful exploitation could lead to unauthorized root access, enabling attackers to manipulate device functions, intercept or alter data streams, and potentially pivot to other networked systems. This threatens the confidentiality of sensitive information, the integrity of device operations, and the availability of smart home or building automation services. In sectors like healthcare, finance, or critical infrastructure where IoT devices are increasingly deployed, such a compromise could disrupt operations or facilitate broader cyberattacks. Additionally, privacy concerns arise from potential camera hub compromises, risking unauthorized surveillance. The vulnerability’s requirement for local access and user interaction somewhat limits remote mass exploitation but does not eliminate risks from insider threats or phishing campaigns that trick users into interacting with malicious domains. The absence of patches means organizations must rely on interim mitigations, increasing operational complexity and risk exposure.

1. Implement strict network segmentation to isolate Aqara Hub devices from critical enterprise networks and sensitive data environments. 2. Restrict outbound DNS queries and monitor DNS traffic for unusual or suspicious domain name resolutions that could indicate exploitation attempts. 3. Disable or limit device features that automatically resolve or interact with external domain names unless absolutely necessary. 4. Employ endpoint detection and response (EDR) solutions capable of identifying anomalous command execution patterns on IoT devices. 5. Educate users about the risks of interacting with unknown or suspicious domains, reducing the likelihood of user interaction required for exploitation. 6. Regularly audit and inventory IoT devices to ensure visibility and control over vulnerable assets. 7. Coordinate with Aqara for timely firmware updates and apply patches immediately upon release. 8. Consider deploying network-level intrusion prevention systems (IPS) with signatures targeting command injection attempts or suspicious DNS payloads. 9. Use strong authentication and access controls to limit local access to the devices, reducing the attack surface. 10. Maintain comprehensive logging and monitoring to detect early signs of exploitation or reconnaissance activities.