Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.
AnalysisAI
Remote unauthenticated attackers can decrypt user credentials and hijack IoT device sessions in Meari SDK-based mobile applications (CloudEdge, Arenti, white-label apps) by exploiting hardcoded cryptographic keys shared across all installations. The SDK embeds API signing secrets, password-transport encryption keys, and service access tokens in application binaries, enabling adversaries to intercept and decrypt account credentials in transit, forge authenticated API requests, and potentially access cloud services without user authentication. No public exploit code identified at time of analysis, but EPSS scoring and exploitation complexity are low given the static nature of hardcoded secrets.
Technical ContextAI
The Meari IoT SDK is an embedded library distributed in Android mobile applications for controlling IP cameras and IoT devices, including CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label rebranded apps through version 1.8.x. The vulnerability stems from CWE-321 (Use of Hard-coded Cryptographic Key) - critical cryptographic material is compiled directly into application binaries rather than being securely provisioned per-installation or per-user. This includes HMAC signing keys for API authentication, symmetric encryption keys for password transmission during login flows, and access credentials for backend cloud services. Because these keys are identical across all SDK instances, an attacker who extracts secrets from one application binary via static reverse-engineering can decrypt credentials and forge requests against any deployment using the same SDK version. The CPE identifier cpe:2.3:a:meari:com.meari.sdk confirms this is a library-level vulnerability affecting all integrating applications, not just individual branded products.
RemediationAI
Primary fix requires vendor action: Meari must release updated SDK builds (version 1.9.0 or later) with cryptographic keys removed from static code and migrated to secure per-installation provisioning mechanisms such as runtime key derivation, hardware-backed keystores (Android Keystore), or server-issued session tokens. Application vendors (CloudEdge, Arenti, white-label distributors) must then rebuild and redistribute mobile apps incorporating the patched SDK. End-user mitigation is LIMITED pending vendor patches: users should avoid entering credentials on untrusted networks (public WiFi) where traffic interception risk is highest, enable VPN tunneling to protect login sessions, and monitor account activity for unauthorized device access or configuration changes. Enterprise deployments should implement network segmentation isolating IoT camera traffic from sensitive systems, deploy TLS-inspecting proxies to detect anomalous API requests using compromised signing keys (look for requests lacking expected client certificates or using known-bad key fingerprints), and consider suspending deployment of affected applications in high-security zones until patched versions are available. No configuration-based workaround exists because the keys are compiled into application binaries. Check vendor advisories at https://www.runzero.com/advisories/meari-sdk-hardcoded-cryptographic-keys-cve-2026-33362/ for patch release announcements.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29106
GHSA-w7mj-frmj-5g6g