CVE-2025-65290 - Aqara Hub M2 Firmware, Aqara Camera Hub G3 Firmware and Aqara Hub M3 Firmware

December 10, 2025

Critical 7.4

Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially serve modified firmware files.

Affected software

Aqara Hub M2 Firmware

Aqara Camera Hub G3 Firmware

Aqara Hub M3 Firmware

Reference links

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Certificate-Validation-Bypass.md

CVE-2025-65290 - Aqara Hub M2 Firmware, Aqara Camera Hub G3 Firmware and Aqara Hub M3 Firmware

Affected software

Reference links

Get alerted to vulnerabilities in your software