Eufy Homebase 2, Anker’s core smart home device hub, was found to be exposed to three flaws, one of which was a major remote code execution (RCE) vulnerability. All Anker’s Eufy smart home products, including video doorbells, interior security cameras, alarm systems, smart locks, and more, use the Homebase 2 as a video storage and networking gateway.
Homebase serves as a central hub for Eufy devices, connecting to the cloud to enable services such as enhanced product functionality, remote control through an app, and so on. According to Cisco Talos researchers, Homebase 2 has three potentially severe vulnerabilities, which might result in privacy intrusion, service interruption, and code execution.
CVE-2022-21806 is the most serious of the three, a critical (CVSS score of 10.0) RCE that may be triggered by delivering a specially crafted series of network packets to the target device. The weakness is due to a user-after-free flaw in the operation of an internal server that Homebase employs to receive specially structured network signals such as device pairing, configuration, and so on.
The second flaw, CVE-2022-26073, is a high-severity (CVSS score of 7.4) issue that may likewise be exploited remotely by delivering a sequence of specially crafted network packets. Because the exploit causes the device to reboot, the principal effect is a denial of service. However, there are various circumstances in which this weakness might be useful to hostile actors when compromising home security systems.
Finally, CVE-2022-25989 is a high-severity (CVSS score of 7.1) authentication bypass flaw that may be triggered by a specifically constructed DHCP packet, forcing Homebase to transfer traffic to an external server. An attacker might use this weakness to intercept video feeds from linked camera systems and spy on their owners.
Before the faults were made public, Cisco Talos alerted Anker about the concerns, giving them time to fix them with security upgrades. Anker patched these security flaws with firmware versions 220.127.116.11 and 18.104.22.168h, which were released in April 2022. As a result, most Homebase 2 devices that haven’t updated their firmware since purchase are susceptible to the above issues.
Threat actors might exploit the accessible information to conduct actual attacks because Cisco gave in-depth technical instructions on using the weaknesses mentioned above. The app is the simplest way to update the firmware on your Eufy device, as stated on this support page.