CVE-2025-65292 - Aqara Hub M2 Firmware, Aqara Camera Hub G3 Firmware and Aqara Hub M3 Firmware

December 10, 2025

Critical 7.3

Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names.

Affected software

Aqara Hub M2 Firmware

Aqara Camera Hub G3 Firmware

Aqara Hub M3 Firmware

Reference links

https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/DNS-Command-Injection.md

CVE-2025-65292 - Aqara Hub M2 Firmware, Aqara Camera Hub G3 Firmware and Aqara Hub M3 Firmware

Affected software

Reference links

Get alerted to vulnerabilities in your software