EUVD-2026-12160CVSS Vector
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static nonce value. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28451.
Analysis
CVE-2026-3559 is an authentication bypass vulnerability in Philips Hue Bridge devices affecting the HomeKit Accessory Protocol implementation, where a static nonce in the SRP authentication mechanism allows network-adjacent attackers to gain unauthorized access without credentials. With a CVSS score of 8.1 and requiring only local network access, attackers can achieve high confidentiality and integrity impact on the affected smart home infrastructure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Philips Hue Bridge devices in use; isolate affected devices to a segmented network if possible. Within 7 days: Implement network access controls restricting Hue Bridge communication to trusted devices only; disable HomeKit integration if not critical to operations; monitor for suspicious local network activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today