CVE-2020-12702

MEDIUM

eWeLink <4.9.2 - Info Disclosure

Title source: llm

Description

Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.

Exploits (2)

nomisec WORKING POC 5 stars

by salgio · poc

https://github.com/salgio/ESPTouchCatcher

View Code ZIP pw:eip

nomisec WRITEUP 1 stars

by salgio · poc

https://github.com/salgio/eWeLink-QR-Code

View Code ZIP pw:eip

References (4)

Core 4

Core References

Product, Third Party Advisory x_refsource_misc

https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US

Third Party Advisory x_refsource_misc

https://dl.acm.org/doi/abs/10.1145/3411498.3419965

Exploit, Third Party Advisory x_refsource_misc

https://github.com/salgio/ESPTouchCatcher

Exploit, Third Party Advisory x_refsource_misc

https://www.youtube.com/watch?v=DghYH7WY6iE&feature=youtu.be

Scores

CVSS v3 4.6

EPSS 0.0043

EPSS Percentile 62.6%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-327

Status published

Products (2)

coolkit/ewelink < 4.9.1

coolkit/ewelink < 4.9.2

Published Feb 24, 2021

Tracked Since Feb 18, 2026