CVE-2025-8210: Yeelight App Vulnerable to Improper Export of Android Application Components

The Yeelight app, a popular application for controlling smart home lighting, has been identified with a security vulnerability that could potentially be exploited locally. This post details the vulnerability, its potential impact, and recommended actions to mitigate the risk.

Vulnerability Details

CVE ID: CVE-2025-8210
Description: A vulnerability was found in Yeelight App up to version 3.5.4 on Android. The issue stems from the improper export of Android application components within the AndroidManifest.xml file of the com.yeelight.cherry component.
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS v3.1 Explanation:
- AV:L (Attack Vector: Local): The attacker needs local access to the device.
- AC:L (Attack Complexity: Low): The conditions for a successful attack are easily met.
- PR:L (Privileges Required: Low): The attacker needs low-level privileges to exploit the vulnerability.
- UI:N (User Interaction: None): No user interaction is required.
- S:U (Scope: Unchanged): An exploited vulnerability can only affect resources managed by the same authority.
- C:L (Confidentiality Impact: Low): Limited information disclosure.
- I:L (Integrity Impact: Low): Limited modification of data.
- A:L (Availability Impact: Low): Limited disruption of services.
Exploit Requirements: Local access to the Android device with the Yeelight app installed.
Affected Vendor: Yeelight
Affected Product: Yeelight App
Affected Version: Up to 3.5.4 on Android
CWE: CWE-926: Improper Export of Android Application Components. This weakness occurs when an Android application component (e.g., Activity, Service, Broadcast Receiver, Content Provider) is improperly exported, allowing other applications to access it, potentially leading to security vulnerabilities.

Timeline of Events

Date of Discovery: Unknown
Report Date: Prior to July 26, 2025
CVE Assigned: July 26, 2025
Vendor Contact: Vendor was contacted but did not respond.
Public Disclosure: Publicly disclosed.

Exploitability & Real-World Risk

The vulnerability allows a local attacker, with limited privileges, to potentially interact with exported components of the Yeelight application in unintended ways. This could potentially lead to information disclosure, data modification, or service disruption. While the attack requires local access, it is still a significant concern, especially on shared devices or devices compromised by malware.

Recommendations

Update the Yeelight App: If a newer version of the Yeelight app is available, update to the latest version as soon as possible.
Monitor Permissions: Regularly review the permissions granted to the Yeelight app and other applications on your Android device.
Security Best Practices: Follow standard Android security best practices, such as avoiding installing apps from untrusted sources.

Technical Insight

The vulnerability lies in the AndroidManifest.xml file, which declares the components of an Android application. Improperly configuring the exported attribute of a component can allow other applications, even those with malicious intent, to interact with that component. This can bypass intended security boundaries within the application.

Credit to Researcher(s)

This vulnerability was reported by an anonymous researcher.

CVE-2025-8210: Yeelight App Vulnerable to Improper Export of Android Application Components

CVE-2025-8210: Yeelight App Vulnerable to Improper Export of Android Application Components

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form