Security News > 2022 > June > Anker Eufy smart home hubs exposed to RCE attacks by critical flaw

Anker Eufy smart home hubs exposed to RCE attacks by critical flaw
2022-06-16 17:38

Anker's central smart home device hub, Eufy Homebase 2, was vulnerable to three vulnerabilities, one of which is a critical remote code execution flaw.

Homebase 2 is the video storage and networking gateway for all Anker's Eufy smart home devices, including video doorbells, indoor security cameras, smart locks, alarm systems, and more.

Homebase operates as a central station for Eufy devices, and it connects to the cloud to provide services that enhance the functionality of those products, give users remote control via an app, etc.

The most severe of the trio, CVE-2022-21806 is a critical RCE triggered by sending a specially-crafted set of network packets to the target device.

The flaw lies in a user-after-free problem in the functionality of an internal server that Homebase uses to receive specifically formatted messages from the network, such as for device pairing, configuration, etc.

An attacker might be able to exploit this flaw to receive the video feed from connected camera devices and spy on the owners.


News URL

https://www.bleepingcomputer.com/news/security/anker-eufy-smart-home-hubs-exposed-to-rce-attacks-by-critical-flaw/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-17 CVE-2022-21806 Use After Free vulnerability in Anker Eufy Homebase 2 Firmware 2.1.8.5H
A use-after-free vulnerability exists in the mips_collector appsrv_server functionality of Anker Eufy Homebase 2 2.1.8.5h.
network
low complexity
anker CWE-416
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Anker 3 0 1 4 8 13