CVE-2026-3562

HIGH

Philips Hue Bridge - Auth Bypass

Title source: llm

Description

Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ed25519_sign_open function. The issue results from improper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28480.

References (1)

[Third Party Advisory] https://www.zerodayinitiative.com/advisories/ZDI-26-160/

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 6.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (2)

Philips/Hue Bridge 1.73.1973146020

philips/hue_bridge_v2_firmware < 1975170000

Published Mar 16, 2026

Tracked Since Mar 16, 2026