Board Service
Monthly
Missing authentication in the Aqara Board service (op-test.aqara.com) lets remote, unauthenticated attackers submit arbitrary MQTT command payloads that the exposed debug/test API relays to the platform's HiveMQ broker without any credential check. Publicly available proof-of-concept exploit code exists (SSVC: poc), and while EPSS is low (0.06%), runZero documents this as one link in a chain (CVE-2026-50082 through -50085) that together enables a fully unauthenticated remote takeover of affected devices. It is not listed in CISA KEV, so active exploitation in the wild is not confirmed.
Missing authentication in the Aqara Board service (op-test.aqara.com) lets remote, unauthenticated attackers submit arbitrary MQTT command payloads that the exposed debug/test API relays to the platform's HiveMQ broker without any credential check. Publicly available proof-of-concept exploit code exists (SSVC: poc), and while EPSS is low (0.06%), runZero documents this as one link in a chain (CVE-2026-50082 through -50085) that together enables a fully unauthenticated remote takeover of affected devices. It is not listed in CISA KEV, so active exploitation in the wild is not confirmed.