The Aqara Home Android app (com.lumiunited.aqarahome) version 6.0.0 and white-label clients embedding the same native library liblumidevsdk.so use hard-coded cryptographic keys. This is classified under CWE-321, which denotes the use of hard-coded cryptographic keys that can be extracted and abused by attackers to decrypt or tamper with sensitive data. The vulnerability has a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is remotely exploitable without privileges or user interaction, with high impact on confidentiality and integrity but no impact on availability. No official patch or remediation guidance is currently available.

Exploitation of this vulnerability can lead to full compromise of confidentiality and integrity of data protected by the hard-coded cryptographic key in the affected application version. Attackers can decrypt sensitive information or forge data, undermining trust and security of the Aqara Home app communications or stored data. There is no known impact on availability. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider avoiding use of version 6.0.0 of the Aqara Home Android app or white-label clients embedding the vulnerable library. Monitor vendor channels for updates or patches addressing this vulnerability.