Com Lumiunited Aqarahome
Monthly
Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.
Hard-coded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) 6.0.0 and white-label clients embedding the same liblumidevsdk.so let attackers who extract the static keys from the shipped binary decrypt protected data and forge or tamper with device/cloud communications. Because every install ships the identical embedded keys, a single extraction compromises confidentiality and integrity across the entire installed base. Reported by runZero (CVE-2026-50091 / EUVD-2026-36481); publicly available exploit code exists (GitHub PoC 'theres-no-place-like-home'), but it is not on CISA KEV and EPSS is very low at 0.03%.