{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8393", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-07-30T20:02:25.275Z", "datePublished": "2025-08-08T16:23:19.199Z", "dateUpdated": "2025-08-08T19:14:14.004Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dreamehome iOS app", "vendor": "Dreame Technology", "versions": [{"lessThanOrEqual": "2.3.4", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Dreamehome Android app", "vendor": "Dreame Technology", "versions": [{"lessThanOrEqual": "2.1.8.8", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "MOVAhome iOS app", "vendor": "Dreame Technology", "versions": [{"lessThanOrEqual": "1.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dennis Giese reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."}], "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-08T16:23:19.199Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06"}, {"url": "https://support.dreametech.com/hc/en-us"}], "source": {"advisory": "ICSA-25-219-06", "discovery": "EXTERNAL"}, "title": "Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dreame Technology did not respond to CISA's request for coordination. Contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.dreametech.com/hc/en-us\">Dreame Technology</a> directly for more information. Note that MOVA is a subsidiary of Dreame Technology.\n\n<br>"}], "value": "Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-08T19:13:59.867731Z", "id": "CVE-2025-8393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-08T19:14:14.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-08T19:13:59.867731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-08T19:14:09.706Z"}}], "cna": {"title": "Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation", "source": {"advisory": "ICSA-25-219-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Dennis Giese reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dreame Technology", "product": "Dreamehome iOS app", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.4"}], "defaultStatus": "unaffected"}, {"vendor": "Dreame Technology", "product": "Dreamehome Android app", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.8.8"}], "defaultStatus": "unaffected"}, {"vendor": "Dreame Technology", "product": "MOVAhome iOS app", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06"}, {"url": "https://support.dreametech.com/hc/en-us"}], "workarounds": [{"lang": "en", "value": "Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology.", "supportingMedia": [{"type": "text/html", "value": "Dreame Technology did not respond to CISA's request for coordination. Contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://support.dreametech.com/hc/en-us\">Dreame Technology</a> directly for more information. Note that MOVA is a subsidiary of Dreame Technology.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens.", "supportingMedia": [{"type": "text/html", "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-08T16:23:19.199Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8393", "state": "PUBLISHED", "dateUpdated": "2025-08-08T19:14:14.004Z", "dateReserved": "2025-07-30T20:02:25.275Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-08-08T16:23:19.199Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A TLS vulnerability exists in the phone application used to manage a \nconnected device. The phone application accepts self-signed certificates\n when establishing TLS communication which may result in \nman-in-the-middle attacks on untrusted networks. Captured communications\n may include user credentials and sensitive session tokens."}, {"lang": "es", "value": "Existe una vulnerabilidad de TLS en la aplicaci\u00f3n de tel\u00e9fono utilizada para administrar un dispositivo conectado. Esta aplicaci\u00f3n acepta certificados autofirmados al establecer comunicaci\u00f3n TLS, lo que puede provocar ataques de intermediario en redes no confiables. Las comunicaciones capturadas pueden incluir credenciales de usuario y tokens de sesi\u00f3n confidenciales."}], "id": "CVE-2025-8393", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-08-08T17:15:30.187", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://support.dreametech.com/hc/en-us"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}

{}

{"created": "2025-08-12T11:47:27.795309+00:00", "updated": "2025-08-12T11:47:27.795361+00:00", "vendors": ["dreametech", "dreametech$PRODUCT$dreamehome_android_app", "dreametech$PRODUCT$dreamehome_ios_app", "dreametech$PRODUCT$movahome_ios_app"]}