CVE-2018-20007

Published: May 16, 2019Modified: Nov 21, 2024

6.8

Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

Yeelight Smart AI Speaker 3.3.10_0074 devices have improper access control over the UART interface, allowing physical attackers to obtain a root shell. The attacker can then exfiltrate the audio data, read cleartext Wi-Fi credentials in a log file, or access other sensitive device and user information.

Affected (1)

Products: Yeelight: Smart Ai Speaker Firmware

1 product

Smart Ai Speaker Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yeelight Smart Ai Speaker Firmware	Version 3.3.10_0074

Running on/with	Platform Versions
Yeelight Smart Ai Speaker	All versions

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://forum.yeelight.com/

Source: cve@mitre.org

Vendor Advisory

https://payatu.com/yeelight-smart-ai-speaker-responsible-disclosure/

Source: cve@mitre.org

ExploitThird Party Advisory

https://forum.yeelight.com/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://payatu.com/yeelight-smart-ai-speaker-responsible-disclosure/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.