Description
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US
Product, Third Party Advisory x_refsource_misc
https://apps.apple.com/us/app/ewelink-smart-home/id1035163158
Third Party Advisory x_refsource_misc
https://github.com/salgio/eWeLink-QR-Code
Scores
CVSS v3
4.6
EPSS
0.0005
EPSS Percentile
16.7%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (2)
coolkit/ewelink
< 4.9.1
coolkit/ewelink
< 4.9.2
Published
May 06, 2021
Tracked Since
Feb 18, 2026