CVE-2025-65297 identifies a privacy and security vulnerability in specific Aqara Hub devices: Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. These devices automatically collect sensitive user information and upload it to external servers without encrypting the data during transmission. This behavior occurs without any disclosure or consent from the manufacturer, violating fundamental privacy principles and potentially breaching data protection regulations such as GDPR. The unencrypted transmission means that any attacker with network access could intercept and read sensitive data, leading to confidentiality breaches. While no direct exploits have been reported, the vulnerability's nature suggests a high risk of data exposure. The affected versions are explicitly listed, but no patches or mitigations have been provided by the vendor as of the publication date. The vulnerability was reserved and published in late 2025, indicating recent discovery. The lack of a CVSS score means severity must be inferred from the impact on confidentiality, ease of exploitation (no authentication or user interaction required), and the scope of affected devices, which are widely used in smart home environments.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information collected by Aqara Hub devices, which may include video feeds, sensor data, or personal identifiers. Such data leakage can compromise user privacy, violate GDPR and other data protection laws, and damage organizational reputation. Enterprises using these devices in office environments or employee residences for smart automation could inadvertently expose confidential information. The unencrypted data transmission increases the risk of interception by malicious actors, including cybercriminals or state-sponsored entities. This could facilitate espionage, targeted attacks, or identity theft. The absence of user consent or manufacturer transparency exacerbates legal and compliance risks. Additionally, the vulnerability undermines trust in IoT device security, potentially impacting broader IoT adoption in European markets.

1. Immediately isolate affected Aqara Hub devices from sensitive or untrusted networks to prevent interception of unencrypted data. 2. Employ network segmentation and monitor traffic for unusual outbound connections from these devices. 3. Use VPNs or encrypted tunnels at the network level to protect data in transit until vendor patches are available. 4. Engage with Aqara or the device manufacturer to demand disclosure, firmware updates, or patches addressing the unencrypted data transmission. 5. Conduct a thorough inventory of all Aqara devices in use and assess the sensitivity of data they collect. 6. Implement strict access controls and logging on networks where these devices operate. 7. Educate users about the privacy risks and encourage disabling or limiting device functionality if possible. 8. Consider replacing vulnerable devices with alternatives that provide robust encryption and transparent data handling policies. 9. Stay updated on vendor advisories and CVE databases for any forthcoming patches or exploit reports.