The Aqara IAM/SSO gateway is vulnerable to an unauthenticated cryptographic bypass that could allow attackers to forge authentication tokens and gain unauthorized system access.

The gateway performs bidirectional AES round-trips against the platform’s signing key without requiring authentication. This allows an unauthenticated network attacker to leverage the signing key to forge authentication tokens.

The ability to forge authentication tokens effectively renders the Identity and Access Management system useless, allowing an attacker to masquerade as any user or administrator. This leads to a total compromise of the authentication boundary, potentially resulting in unauthorized access to sensitive user data and backend systems. While the base description suggests a lower severity, the ability to bypass core authentication warrants a critical response.

Immediate Action: Apply the patch provided in the official GitHub advisory (GHSA-3897-2crh-vgmr) immediately.

Proactive Monitoring: Monitor IAM/SSO logs for anomalous authentication requests or tokens that do not align with known user behavior patterns.

Compensating Controls: Implement strict network access control lists (ACLs) to limit access to the gateway to authorized internal infrastructure only.

Public Exploit Available: False

Authentication bypasses involving cryptographic signing keys are high-risk events. Security teams should treat this as a priority update to ensure the integrity of the platform’s identity services and prevent potential unauthorized access.