CVE-2025-65297 identifies a vulnerability in several Aqara Hub devices—specifically Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025—where these devices automatically collect and transmit sensitive information without encryption. This data collection and upload occur without disclosure or consent from the manufacturer, violating privacy expectations and potentially regulatory requirements. The vulnerability is classified under CWE-5 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating a flaw related to handling sensitive data. The CVSS v3.1 score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be performed remotely over the network without any privileges or user interaction, and it results in a complete loss of confidentiality. The lack of encryption means that attackers on the same network or with network access can intercept sensitive data in transit. The vulnerability does not affect integrity or availability directly but poses a serious privacy risk. No patches or updates have been linked yet, and no exploits are known in the wild. This vulnerability affects IoT devices commonly used in smart home environments, which may be integrated into enterprise or residential networks, increasing the attack surface. The automatic data upload without user consent also raises compliance concerns under data protection regulations such as GDPR.

For European organizations, the primary impact is the exposure of sensitive information transmitted by Aqara Hub devices, which can include personal data, network information, or other confidential details. This exposure can lead to privacy violations, regulatory non-compliance (notably GDPR), and potential reputational damage. Organizations using these devices in office environments or employee residences for remote work may inadvertently expose internal network details or user data. The unencrypted transmission allows attackers with network access to perform passive eavesdropping attacks, potentially leading to targeted phishing or further exploitation. While the vulnerability does not directly compromise device integrity or availability, the confidentiality breach alone is significant, especially for sectors handling sensitive data such as finance, healthcare, and government. The lack of manufacturer disclosure and consent complicates risk management and incident response. Additionally, the presence of these devices in smart buildings or IoT-integrated infrastructures could provide attackers with reconnaissance information for broader attacks.

1. Network Segmentation: Isolate Aqara Hub devices on separate VLANs or network segments to limit exposure to sensitive internal networks. 2. Enforce Network Encryption: Use VPNs or secure tunnels for all IoT device traffic to prevent interception of unencrypted data. 3. Monitor Network Traffic: Deploy IDS/IPS solutions to detect unusual data transmissions from Aqara devices, focusing on unencrypted uploads. 4. Disable Unnecessary Features: Where possible, disable automatic data collection or cloud upload features on affected devices. 5. Device Inventory and Risk Assessment: Identify all Aqara devices in the environment and assess their usage and data sensitivity. 6. Engage with Manufacturer: Request official patches or firmware updates addressing the vulnerability and demand transparency regarding data collection. 7. User Awareness: Inform users about the privacy risks and advise on safe usage practices, including avoiding these devices in sensitive environments. 8. Regulatory Compliance Review: Evaluate the impact of this vulnerability on GDPR and other privacy regulations, and prepare for potential reporting obligations. 9. Consider Alternative Devices: For critical environments, replace vulnerable Aqara devices with alternatives that ensure encrypted data transmission and user consent. 10. Apply Network Access Controls: Restrict device communication to only necessary endpoints and block unauthorized external connections.