Yeelight App Android CVE-2025-8210
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Yeelink Yeelight App up to 3.5.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component com.yeelight.cherry. The manipulation leads to improper export of android application components. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper export of Android application components in Yeelink Yeelight App up to version 3.5.4 allows local attackers with user-level privileges to access sensitive application functions through the AndroidManifest.xml configuration of the com.yeelight.cherry component. The vulnerability has a very low real-world impact (CVSS 1.9, EPSS 0.03%) despite public exploit availability, as exploitation requires local device access and user-level privileges, limiting practical attack scenarios to compromised or physically accessible devices.
Technical ContextAI
The vulnerability stems from CWE-926 (Improper Export of Android Application Components), a configuration weakness in Android application manifest files. The com.yeelight.cherry component within the Yeelight App fails to properly restrict exported components, allowing other applications or processes on the same Android device to interact with unexported or overly permissive activities, services, or broadcast receivers. This is fundamentally a manifest configuration issue rather than code-level vulnerability, where the AndroidManifest.xml does not use the android:exported attribute correctly or omits permission restrictions on sensitive components. The attack surface is limited to local Android inter-process communication (IPC) mechanisms accessible to applications with the same user privileges.
RemediationAI
Update Yeelight App to a version after 3.5.4 if available; however, vendor non-responsiveness suggests patched versions may not be released. As a primary mitigation, uninstall or disable the Yeelight App if not actively required, particularly on devices that may be shared or have elevated security concerns. If continued use is necessary, restrict application installation permissions on the Android device by enabling 'Unknown sources' restriction in Settings and limiting which apps can install other applications. Monitor device access logs for suspicious inter-process communication attempts targeting com.yeelight.cherry. Users should ensure device lock screen protections (PIN/biometric) are enabled to prevent local physical access exploitation. Since vendor response is non-existent per disclosure timeline, users should document this vulnerability in internal asset inventories and monitor for any future vendor security updates, though reliance on vendor patches is not recommended.
Share
External POC / Exploit Code
Leaving vuln.today