CVE-2025-65292 is a critical command injection vulnerability identified in several Aqara Hub devices, specifically the Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. The vulnerability arises from improper input validation when processing domain names, allowing an attacker to inject arbitrary commands that execute with root privileges on the device. This means an attacker can fully compromise the device, potentially gaining control over the smart home or office environment managed by the hub. The attack vector involves sending maliciously crafted domain names that the device processes, which does not require user interaction but does require the device to resolve or handle these domains. No CVSS score has been assigned yet, and there are no known exploits in the wild, but the impact of successful exploitation is severe. The vulnerability affects the core firmware of the devices, and no official patches or mitigation links are currently provided. The root-level access gained could allow attackers to manipulate device settings, intercept or alter data, pivot to other network devices, or cause denial of service. This vulnerability highlights the risks associated with IoT devices that have network-facing components and insufficient input sanitization. Organizations relying on Aqara hubs should prioritize identifying affected devices and prepare for immediate remediation once patches become available.

For European organizations, the impact of CVE-2025-65292 can be substantial. Aqara hubs are commonly used in smart home and smart office environments for automation, security monitoring, and device management. Exploitation could lead to full device compromise, enabling attackers to manipulate security cameras, disable alarms, or access sensitive data transmitted through the hub. This can result in breaches of confidentiality, loss of data integrity, and disruption of availability of critical smart infrastructure. Additionally, compromised hubs could serve as pivot points for lateral movement within corporate or residential networks, increasing the risk of broader network compromise. The lack of patches and the root-level command execution capability exacerbate the threat. Privacy regulations such as GDPR could also be implicated if personal data is exposed or manipulated. The operational disruption and potential reputational damage from such an incident could be significant, especially for organizations relying heavily on IoT devices for security and automation.

1. Immediate identification and inventory of all Aqara Hub devices in use, including Camera Hub G3, Hub M2, and Hub M3 models with the specified firmware versions. 2. Monitor official Aqara and parent company communications for firmware updates or security patches addressing CVE-2025-65292 and apply them promptly once available. 3. Implement network segmentation to isolate IoT hubs from critical business networks, limiting potential lateral movement in case of compromise. 4. Employ DNS filtering and monitoring to detect and block suspicious or malformed domain name queries that could exploit this vulnerability. 5. Disable unnecessary network services on the hubs and restrict inbound and outbound traffic to only trusted sources. 6. Use network intrusion detection systems (NIDS) with signatures or heuristics to identify command injection attempts or anomalous device behavior. 7. Educate users and administrators about the risks of IoT device vulnerabilities and enforce strict access controls for device management interfaces. 8. Consider temporary removal or replacement of vulnerable devices in high-security environments until patches are available. 9. Conduct regular security assessments and penetration testing focused on IoT infrastructure to identify and remediate similar risks proactively.