CVE-2022-25989 — Authentication Bypass by Spoofing in Eufy Homebase 2

CWE-290 — Authentication Bypass by Spoofing4 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 69.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Anker Eufy Homebase 2 Anker Eufy Homebase 2 Firmware

Timeline

PublishedMay 5

Latest updateJun 15

Description

An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted DHCP packet can lead to authentication bypass. An attacker can DHCP poison to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5anker/eufy_homebase_22.1.8.5h

▶NVDanker/eufy_homebase_2_firmware2.1.8.5h

🔴Vulnerability Details

GHSA

GHSA-3wpv-xcvc-6543: An authentication bypass vulnerability exists in the libxm_av↗2022-05-06

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass↗2022-06-15

▶

Talos

Vulnerability Spotlight: Vulnerabilities in Anker Eufy Homebase could lead to code execution, authentication bypass↗2022-06-15

▶