Aqara Hub Command Injection Vulnerability Allowing Root Privilege Execution

A command injection vulnerability has been identified in Aqara Hub devices, specifically in the Camera Hub G3 (firmware 4.1.9_0027), Hub M2 (firmware 4.3.6_0027), and Hub M3 (firmware 4.3.6_0025). This vulnerability arises from improper input sanitization in the DNS lookup process, allowing attackers to execute arbitrary commands with root privileges by exploiting malicious domain names. The issue is triggered when the device attempts to verify connectivity with a DNS server, as the stored domain name is passed to a command execution function without adequate filtering, creating an opportunity for command injection through shell separators.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution with root privileges on the affected Aqara Hub devices.

Reproduction

To reproduce this vulnerability, first, ensure the device is running one of the affected firmware versions. Then, store a malicious domain name that includes shell separators in the 'persist.app.country_domain' setting. When the device's DNS lookup function is called, the malicious domain name will be executed as a command with root privileges, demonstrating the command injection vulnerability.

Remediation

Users can update to Aqara Hub M2 and M3 firmware version 4.3.8, released via OTA on August 28, 2025. For the Camera Hub G3, a compatible firmware version was released OTA on October 20, 2025.