What is the CVSS score of CVE-2025-6031?

CVE-2025-6031 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Amazon Cloud Cam are affected by CVE-2025-6031?

Amazon Cloud Cam devices in your environment are vulnerable to network interception attacks due to deprecated infrastructure and disabled SSL pinning protections.

How to fix or mitigate CVE-2025-6031?

Within 24 hours: Inventory all Amazon Cloud Cam devices across the organization and isolate them to a segregated network segment. Within 7 days: Communicate mandatory decommissioning plan to device owners and establish deadline for removal. Within 30 days: Complete physical removal or factory reset of all identified devices and replace with actively supported security camera solutions.

Amazon Cloud Cam CVE-2025-6031

EUVD-2025-18203 HIGH

Operation on a Resource after Expiration or Release (CWE-672)

2025-06-12 ff89ba41-3aa1-4d27-914a-91399e9639e5

Authentication Bypass

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18203

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

CVE Published

Jun 12, 2025 - 20:15 nvd

HIGH 7.5

DescriptionNVD

Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported.

When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification.

We recommend customers discontinue usage of any remaining Amazon Cloud Cams.

AnalysisAI

Critical SSL pinning bypass vulnerability in the deprecated Amazon Cloud Cam that allows unauthenticated attackers on the same network to intercept and modify device traffic by associating the camera to an arbitrary network during its default pairing state. The vulnerability affects all Amazon Cloud Cam units, which reached end-of-life on December 2, 2022, and are no longer receiving security updates. An attacker can exploit this to eavesdrop on video streams, modify device configuration, or potentially gain unauthorized access to associated AWS infrastructure.

Technical ContextAI

The vulnerability stems from CWE-672 (Operation on a Resource after Expiration or Release), manifesting as improper SSL/TLS certificate pinning implementation in the device's remote service connectivity layer. When the Amazon Cloud Cam powers on, it attempts to establish connections to deprecated AWS infrastructure endpoints without properly validating certificate pinning. The device defaults to an unauthenticated pairing mode where SSL pinning protections are either absent or can be bypassed, allowing an attacker positioned on the local network (AV:A) to perform man-in-the-middle (MITM) attacks. The affected product is specifically Amazon Cloud Cam (all versions/production runs), which relied on proprietary AWS cloud connectivity for operation. The root cause is the combination of: (1) deprecated backend infrastructure no longer receiving security maintenance, (2) lack of certificate pinning enforcement in the pairing protocol, and (3) default-insecure device state during initialization.

CVE-2025-6031 vulnerability details – vuln.today

Back

Amazon Cloud Cam CVE-2025-6031

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Share

External POC / Exploit Code