CVE-2025-65294

CriticalPublic PoCRCE

Published: 10 December 2025

Published

10 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0100 77.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65294 is a critical-severity Code Injection (CWE-94) vulnerability in Aqara Hub M2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-17 (Remote Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-17 Remote Access good match

prevent

AC-17 mandates protection of remote access mechanisms with authentication and encryption, directly preventing exploitation of the undocumented remote command execution.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of all inputs to prevent code injection vulnerabilities like CWE-94 enabling arbitrary command execution.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 prohibits or strictly controls actions without authentication, eliminating unrestricted remote command execution on affected devices.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Undocumented remote access mechanism enables unrestricted remote command execution on Aqara Hub devices, facilitating exploitation of public-facing applications and remote services.

NVD Description

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution.

Deeper analysisAI

CVE-2025-65294 is a critical vulnerability affecting Aqara Hub devices, specifically Camera Hub G3 version 4.1.9_0027, Hub M2 version 4.3.6_0027, and Hub M3 version 4.3.6_0025. The flaw stems from an undocumented remote access mechanism that allows unrestricted remote command execution, classified under CWE-94 (code injection). It carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

The vulnerability enables remote attackers with network access to the affected devices to execute arbitrary commands without authentication. Exploitation grants high-impact confidentiality, integrity, and availability compromise, potentially allowing full device takeover, data exfiltration, or further network pivoting from the compromised IoT hub.

Detailed technical analysis and potential mitigations are documented in researcher reports at the provided references: https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md and https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md. Security practitioners should review these for device-specific workarounds until official patches are released by Aqara.