The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High).
The endpoint gw-builder.aqara.com performs AES encryption and decryption operations (so-called bidirectional AES round-trips) without requiring any authentication. An attacker can repeatedly send their own data to be encrypted or decrypted, creating a cryptographic oracle. The cryptographic algorithm used falls into the broken or risky category (CWE-327), and the lack of an authentication mechanism for this critical function (CWE-306) makes exploitation possible for any user on the Internet.
An attacker can exploit the oracle to read or reconstruct the Aqara platform signing key, leading to disclosure of confidential data and potential compromise of the integrity of tokens or signatures issued by the IAM/SSO system.
Apply patches available from the vendor according to the references. Until the fix is deployed, it is recommended to block access to the vulnerable endpoint at the firewall level and monitor unauthorized requests to gw-builder.aqara.com.
Aqara IAM/SSO gateway accessible at gw-builder.aqara.com; versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H