CVE-2022-25809
CRITICALAmazon Echo Dot 3rd and 4th Generation - Arbitrary Voice Command Execution via Malicious Skill or Bluetooth Pairing
Title source: llmDescription
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an "Alexa versus Alexa (AvA)" attack.
References (1)
Core 1
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://arxiv.org/abs/2202.08619
Scores
CVSS v3
9.8
EPSS
0.0745
EPSS Percentile
91.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
amazon/echo_dot_firmware
Published
Feb 24, 2022
Tracked Since
Feb 18, 2026