CVE-2025-56557

Tuya · Smart Life App

The Tuya Smart Life App version 5.6.1 contains an authorization flaw allowing unprivileged attackers to control Matter-enabled devices via the Matter protocol.

Executive summary

A critical authorization vulnerability in the Tuya Smart Life App allows unauthorized control over connected Matter devices, posing significant security risks to smart home environments.

Vulnerability

This vulnerability involves a failure in access control within the application's implementation of the Matter protocol. Attackers do not require authentication to issue commands to connected devices, effectively bypassing intended security constraints.

Business impact

The ability for unauthorized actors to control smart devices can lead to physical safety risks, privacy breaches, and the compromise of home or office automation networks. With a CVSS score of 9.1, this vulnerability is classified as critical, as it facilitates direct manipulation of hardware without requiring credentials.

Remediation

Immediate Action: Upgrade the Tuya Smart Life App to the latest available version provided by the vendor to remediate the authorization logic.

Proactive Monitoring: Review application access logs for unusual command patterns or unauthorized device interaction requests.

Compensating Controls: Isolate IoT devices on a separate, firewalled network segment to minimize the potential reach of unauthorized device control.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical severity of this flaw and the potential for direct physical impact on IoT infrastructure, users should prioritize updating their mobile application immediately. Failure to patch may allow attackers to bypass standard security boundaries and gain control over critical smart home infrastructure.