CVE-2024-7205 in eWeLink Cloud Service Exposes Devices to Takeover

by do son · July 31, 2024

eWeLink, the popular smart home platform, has issued a critical security advisory warning users of a vulnerability in their cloud service. The flaw, designated as CVE-2024-7205 (CVSS 9.4), could potentially allow unauthorized users to take control of smart home devices shared with them.

The vulnerability affects the eWeLink Cloud Service homepage module in versions 2.0.0 to 2.19.0. The issue stems from the sharing of unnecessary device-sensitive information when a primary user shares their smart device with another user. This information leakage enables the secondary user to add the primary user’s device to their account, effectively gaining control.

For this vulnerability to be exploited, the primary user must share the device with the secondary user. Once shared, the secondary user can access all device information via the cloud interface. The exposure of unnecessary key information in this shared data allows the secondary user to add the primary user’s device to their own account, effectively taking over the device.

By exploiting this vulnerability, a secondary user can assume the role of the primary user, gaining complete control over the device. This could lead to unauthorized access, manipulation of device settings, and potential breaches of user privacy.

eWeLink has addressed CVE-2024-7205 in the latest version of its cloud service. Users are strongly advised to ensure that their eWeLink app and any associated devices are updated to the latest version to mitigate the risk of exploitation.

eWeLink has not provided details on whether this vulnerability has been exploited in the wild. However, given the severity of the issue and the potential for widespread impact, users are urged to take immediate action to protect their smart homes and personal information.