CVE-2021-27941

MEDIUM

eWeLink <4.9.2-4.9.1 - Info Disclosure

Title source: llm

Description

Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.

References (3)

[Product, Third Party Advisory] https://apps.apple.com/us/app/ewelink-smart-home/id1035163158

[Third Party Advisory] https://github.com/salgio/eWeLink-QR-Code

View Writeup ZIP pw:eip

[Product, Third Party Advisory] https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US

Scores

CVSS v3 4.6

EPSS 0.0005

EPSS Percentile 16.7%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

coolkit/ewelink < 4.9.1

coolkit/ewelink < 4.9.2

Timeline

Published May 06, 2021

Tracked Since Feb 18, 2026