Description
Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network.
References (1)
Core 1
Core References
Various Sources x_refsource_misc
https://www.tiferrei.com/philips-we-need-to-talk
Scores
CVSS v3
7.5
EPSS
0.0042
EPSS Percentile
33.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-326
Status
published
Products (1)
philips/hue_bridge_bsb002_firmware
1707040932
Published
Oct 01, 2017
Tracked Since
Feb 18, 2026