CVE-2020-12702

MEDIUM

eWeLink < 4.9.1 (iOS) and < 4.9.2 (Android) - Weak Encryption in Quick Pairing Mode

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-12702. PoCs published by salgio.

AI-analyzed exploit summary This PoC exploits CVE-2020-12702 by sniffing and decrypting Wi-Fi credentials transmitted during the eWeLink app's Quick Pairing process. It reverses the ESP Touch protocol to extract sensitive information from multicast packets.

Description

Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.

Exploits (2)

nomisec WORKING POC 5 stars
by salgio · poc
https://github.com/salgio/ESPTouchCatcher

This PoC exploits CVE-2020-12702 by sniffing and decrypting Wi-Fi credentials transmitted during the eWeLink app's Quick Pairing process. It reverses the ESP Touch protocol to extract sensitive information from multicast packets.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: eWeLink mobile application (Android v4.9.2 and earlier, iOS v4.9.1 and earlier)
No auth needed
Prerequisites: Physical proximity to the target network · tshark/pyshark for packet capture · Monitor mode enabled on Wi-Fi interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by salgio · poc
https://github.com/salgio/eWeLink-QR-Code

This repository contains a detailed writeup of CVE-2021-27941, an incorrect access control vulnerability in the eWeLink mobile application that allows attackers to eavesdrop on Wi-Fi credentials during the QR code pairing process. The vulnerability arises from unconstrained access to the device's private encryption key, enabling nearby attackers to decrypt sensitive information transmitted over an open softAP WiFi network.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: eWeLink mobile application (Android through 4.9.2, iOS through 4.9.1)
Auth required
Prerequisites: Physical proximity to the target device during pairing · Valid user account registered on the eWeLink platform · Device ID parameter from the softAP WiFi SSID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Product, Third Party Advisory x_refsource_misc
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US
Third Party Advisory x_refsource_misc
https://dl.acm.org/doi/abs/10.1145/3411498.3419965
Exploit, Third Party Advisory x_refsource_misc
https://github.com/salgio/ESPTouchCatcher
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=DghYH7WY6iE&feature=youtu.be

Scores

CVSS v3 4.6
EPSS 0.0031
EPSS Percentile 22.0%
Attack Vector PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-327
Status published
Products (2)
coolkit/ewelink < 4.9.1
coolkit/ewelink < 4.9.2
Published Feb 24, 2021
Tracked Since Feb 18, 2026