CVE-2025-6521 | THREATINT

Description

During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials.

PUBLISHED Reserved 2025-06-23 | Published 2025-06-27 | Updated 2025-06-27 | Assigner icscert

HIGH: 7.6CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

MEDIUM: 6.8CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-327

Product status

Default status

unaffected

Any version

affected

Credits

Fahim Balouch reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-177-02

www.trendmakerscares.com/Customer-Service-Hours

cve.org (CVE-2025-6521)

nvd.nist.gov (CVE-2025-6521)

Download JSON