TrendMakers Sight Bulb Pro

View CSAF

1. EXECUTIVE SUMMARY CVSS v4 5.3 ATTENTION: Low attack complexity Vendor: TrendMakers Equipment: Sight Bulb Pro Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of the Sight Bulb Pro Firmware are affected: Sight Bulb Pro Firmware ZJ_CG32-2201: Version 8.57.83 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327 During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials. CVE-2025-6521 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-6521. A base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string. CVE-2025-6522 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L). A CVSS v4 score has also been calculated for CVE-2025-6522. A base score of 5.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Fahim Balouch reported these vulnerabilities to CISA.
4. MITIGATIONS TrendMakers did not respond to CISA’s request for coordination. Contact TrendMakers directly for more information. CISA recommends that device users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: The encryption key is sent in the clear only during the initial device setup when the Sight Bulb Pro acts as an access point. Take appropriate physical security measures to minimize the risk of remote network captures or monitoring. Utilize network monitoring or signature based detection to monitor for malicious activity. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY June 26, 2025: Initial Publication