Published: 06/05/2021 Updated: 12/07/2022

CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9

CVSS v3 Base Score: 4.6 | Impact Score: 3.6 | Exploitability Score: 0.9

VMScore: 187

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (up to and including 4.9.2 on Android and up to and including 4.9.1 on iOS) allows a physically proximate malicious user to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.

Vulnerable Product	Search on Vulmon	Subscribe to Product
coolkit ewelink

This repo describes a vulnerability affecting the QR code based pairing process of the eWeLink IoT devices (CVE-2020-12702).

eWeLink mobile Application - Incorrect Access Control Vulnerability (CVE-2021-27941) Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 492 on Android and through 491 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by moni

CWE-522 https://github.com/salgio/eWeLink-QR-Code https://apps.apple.com/us/app/ewelink-smart-home/id1035163158 https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US https://nvd.nist.gov https://github.com/salgio/eWeLink-QR-Code

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-27941

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect