Aqara Iam Sso Gateway
Monthly
Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.
Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.
Unauthenticated cryptographic oracle in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows remote attackers to abuse bidirectional AES encrypt/decrypt operations performed with the platform's signing key, effectively turning the gateway into a generic crypto oracle. The flaw stems from missing authentication on a critical function combined with use of a risky cryptographic design, and no public exploit code or CISA KEV listing has been identified at time of analysis. Because the signing key underpins identity assertions across the Aqara cloud platform, abuse could enable forgery of authentication tokens against a smart-home identity service used by a broad consumer base.
Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara-domain URLs that silently forward victims to attacker-controlled sites, enabling highly credible phishing campaigns targeting Aqara users and connected IoT ecosystem accounts. The vulnerability is particularly impactful in an SSO context because users are trained to trust authentication-domain URLs, dramatically lowering phishing detection rates. A public proof-of-concept repository exists on GitHub; no confirmed active exploitation per CISA KEV at time of analysis.
Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web origins to read authenticated user data by exploiting a permissive CORS policy that trusts arbitrary domains. The flaw, scored CVSS 8.2 with scope change due to credential exposure crossing the browser/identity-provider trust boundary, affects all users of Aqara's centralized smart-home identity service and can be triggered when a logged-in victim visits an attacker-hosted page. A public GitHub repository (xn0tsa/theres-no-place-like-home) is linked from the advisory, so publicly available exploit code exists, though no CISA KEV listing or EPSS signal is provided.
Unauthenticated cryptographic oracle in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows remote attackers to abuse bidirectional AES encrypt/decrypt operations performed with the platform's signing key, effectively turning the gateway into a generic crypto oracle. The flaw stems from missing authentication on a critical function combined with use of a risky cryptographic design, and no public exploit code or CISA KEV listing has been identified at time of analysis. Because the signing key underpins identity assertions across the Aqara cloud platform, abuse could enable forgery of authentication tokens against a smart-home identity service used by a broad consumer base.