CVE-2025-65296 identifies a NULL-pointer dereference vulnerability in the JSON processing routines of Aqara Hub M2 (version 4.3.6_0027), Hub M3 (version 4.3.6_0025), and Camera Hub G3 (version 4.1.9_0027). The vulnerability arises when these devices parse malformed JSON input, leading to a NULL-pointer dereference that causes the device software to crash or become unresponsive, effectively resulting in a denial-of-service (DoS) condition. This flaw is triggered remotely by sending specially crafted JSON data to the affected devices, which typically serve as smart home or building automation hubs. The vulnerability does not require prior authentication, increasing the risk of exploitation by unauthenticated attackers on the same network or potentially via exposed network interfaces. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability's nature suggests it could be leveraged to disrupt device availability. The affected devices are widely used in consumer and enterprise IoT environments, where continuous operation is critical. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for interim mitigations. This vulnerability highlights the risks associated with insufficient input validation in IoT device firmware, particularly in components handling complex data formats like JSON.

The primary impact of CVE-2025-65296 is denial-of-service, which compromises the availability of Aqara smart hubs and cameras. For European organizations relying on these devices for smart building management, security monitoring, or home automation, exploitation could lead to service outages, loss of monitoring capabilities, and operational disruptions. This may affect physical security, environmental controls, and energy management systems integrated with these hubs. In critical infrastructure or enterprise environments, such interruptions could cascade into broader operational challenges. Additionally, repeated crashes may necessitate manual device resets or replacements, increasing maintenance costs and downtime. Although confidentiality and integrity are not directly impacted, the loss of availability can degrade trust in IoT deployments and complicate incident response. The absence of known exploits reduces immediate risk, but the ease of triggering the vulnerability without authentication means attackers with network access could exploit it. European organizations with extensive IoT deployments should consider this a moderate operational risk until patches are available.

1. Monitor Aqara's official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 2. Restrict network access to Aqara hubs and cameras by segmenting IoT devices on isolated VLANs or separate subnets to limit exposure. 3. Implement firewall rules or network intrusion prevention systems (NIPS) to detect and block malformed JSON payloads or suspicious traffic targeting these devices. 4. Disable remote management interfaces if not required, reducing the attack surface. 5. Employ network-level input validation or filtering to prevent malformed JSON data from reaching vulnerable devices. 6. Regularly audit IoT device configurations and network traffic to identify anomalous activity. 7. Educate users and administrators about the risk of sending untrusted data to IoT devices. 8. Consider deploying redundancy or failover mechanisms for critical IoT functions to mitigate potential downtime. These steps go beyond generic advice by focusing on network segmentation, traffic filtering, and operational controls specific to the affected devices and their typical deployment scenarios.