A TLS vulnerability exists in the phone application used to manage a
connected device. The phone application accepts self-signed certificates
when establishing TLS communication which may result in
man-in-the-middle attacks on untrusted networks. Captured communications
may include user credentials and sensitive session tokens.
Fixes

Solution

No solution given by the vendor.


Workaround

Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology.

History

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dreametech
Dreametech dreamehome Android App
Dreametech dreamehome Ios App
Dreametech movahome Ios App
Vendors & Products Dreametech
Dreametech dreamehome Android App
Dreametech dreamehome Ios App
Dreametech movahome Ios App

Fri, 08 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 08 Aug 2025 16:45:00 +0000

Type Values Removed Values Added
Description A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.
Title Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-08-08T19:14:14.004Z

Reserved: 2025-07-30T20:02:25.275Z

Link: CVE-2025-8393

cve-icon Vulnrichment

Updated: 2025-08-08T19:14:09.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-08T17:15:30.187

Modified: 2025-08-08T20:30:18.180

Link: CVE-2025-8393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T11:47:27Z