fkie_nvd - fkie_cve-2025-8393

FKIE_CVE-2025-8393

Vulnerability from fkie_nvd - Published: 2025-08-08 17:15 - Updated: 2025-08-08 20:30

Severity ?

7.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://support.dreametech.com/hc/en-us
	ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de TLS en la aplicaci\u00f3n de tel\u00e9fono utilizada para administrar un dispositivo conectado. Esta aplicaci\u00f3n acepta certificados autofirmados al establecer comunicaci\u00f3n TLS, lo que puede provocar ataques de intermediario en redes no confiables. Las comunicaciones capturadas pueden incluir credenciales de usuario y tokens de sesi\u00f3n confidenciales."
    }
  ],
  "id": "CVE-2025-8393",
  "lastModified": "2025-08-08T20:30:18.180",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.2,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "ADJACENT",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-08T17:15:30.187",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://support.dreametech.com/hc/en-us"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    }
  ]
}

CVE-2025-8393 (GCVE-0-2025-8393)

Vulnerability from cvelistv5 – Published: 2025-08-08 16:23 – Updated: 2025-08-08 19:14

Title

Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation

Summary

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

8.5 (High)


                        
                          CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-295

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://support.dreametech.com/hc/en-us

Impacted products

Vendor

Product

Version

Dreame Technology

Dreamehome iOS app

Affected: 0 , ≤ 2.3.4 (custom)

	Dreame Technology	Dreamehome Android app	Affected: 0 , ≤ 2.1.8.8 (custom)
	Dreame Technology	MOVAhome iOS app	Affected: 0 , ≤ 1.2.3 (custom)

Credits

Dennis Giese reported this vulnerability to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8393",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-08T19:13:59.867731Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-08T19:14:14.004Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Dreamehome iOS app",
          "vendor": "Dreame Technology",
          "versions": [
            {
              "lessThanOrEqual": "2.3.4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Dreamehome Android app",
          "vendor": "Dreame Technology",
          "versions": [
            {
              "lessThanOrEqual": "2.1.8.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MOVAhome iOS app",
          "vendor": "Dreame Technology",
          "versions": [
            {
              "lessThanOrEqual": "1.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dennis Giese reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."
            }
          ],
          "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T16:23:19.199Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06"
        },
        {
          "url": "https://support.dreametech.com/hc/en-us"
        }
      ],
      "source": {
        "advisory": "ICSA-25-219-06",
        "discovery": "EXTERNAL"
      },
      "title": "Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dreame Technology did not respond to CISA\u0027s request for coordination. Contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.dreametech.com/hc/en-us\"\u003eDreame Technology\u003c/a\u003e directly for more information. Note that MOVA is a subsidiary of Dreame Technology.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Dreame Technology did not respond to CISA\u0027s request for coordination. Contact  Dreame Technology https://support.dreametech.com/hc/en-us  directly for more information. Note that MOVA is a subsidiary of Dreame Technology."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-8393",
    "datePublished": "2025-08-08T16:23:19.199Z",
    "dateReserved": "2025-07-30T20:02:25.275Z",
    "dateUpdated": "2025-08-08T19:14:14.004Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2025-8393

CVE-2025-8393 (GCVE-0-2025-8393)

Tags

Sightings

Nomenclature