CVE-2025-65294 is a critical remote code execution vulnerability found in several Aqara Hub devices, specifically the Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. The root cause is an undocumented remote access mechanism embedded within the device firmware that allows attackers to execute arbitrary commands remotely without any authentication or user interaction. This vulnerability falls under CWE-94, indicating improper control of code generation or execution. The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation (network vector, no privileges required, no user interaction) and the severe impact on confidentiality, integrity, and availability. Attackers exploiting this flaw can gain full control over the affected devices, potentially using them as entry points into broader networks or for espionage. Despite the severity, no patches or official mitigations have been released yet, and no active exploits have been observed in the wild. The vulnerability affects IoT hubs commonly used in smart home environments, which often have direct access to internal networks and sensitive data streams. The lack of authentication on the remote access interface is a critical design flaw that must be addressed promptly. Organizations relying on these devices should assume compromise risk and take immediate protective measures.

For European organizations, the impact of CVE-2025-65294 is substantial. Aqara hubs are widely used in smart home and building automation systems, including in corporate and residential environments. Exploitation could lead to unauthorized surveillance via compromised camera hubs, theft of sensitive personal or corporate data, and disruption of IoT services. The vulnerability also opens pathways for attackers to pivot into internal networks, potentially compromising other critical infrastructure. This is particularly concerning for sectors with high IoT adoption such as manufacturing, healthcare, and smart buildings. The confidentiality breach risk is high due to potential camera access, while integrity and availability are threatened by arbitrary command execution that could disable or manipulate devices. The absence of authentication and the network-accessible attack vector increase the likelihood of exploitation once exploits become publicly available. This could lead to widespread attacks targeting European smart environments, causing operational disruptions and privacy violations.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, isolate Aqara Hub devices on dedicated network segments or VLANs with strict firewall rules blocking inbound remote access from untrusted networks. Disable any remote management or cloud connectivity features if possible to reduce exposure. Employ network monitoring and intrusion detection systems to identify unusual command execution or traffic patterns associated with these devices. Regularly audit device firmware versions and configurations to detect unauthorized changes. Engage with Aqara or authorized vendors for updates or guidance and prioritize patching once available. Additionally, consider replacing vulnerable devices in high-risk environments with alternatives that follow secure development practices. Educate users about the risks of IoT devices and enforce strong network access controls. Finally, integrate these devices into broader security incident response plans to quickly contain potential breaches.