The reported flaw in Philips Hue Bridge’s HomeKit Accessory Protocol uses a static nonce in the SRP authentication flow, allowing an attacker on the same local network to bypass authentication entirely. This bypass is enabled by design, meaning no credentials are required to gain control of the bridge. The vulnerability is classified as CWE‑323: Weak Password Policy. Successful exploitation would permit an attacker to send arbitrary commands to the bridge, potentially affecting connected lighting and automation devices and providing a foothold for further network compromise.

The affected product is the Philips Hue Bridge. Specific affected firmware versions are not enumerated in the provided data; however, any installation of the HomeKit Accessory Protocol that listens on TCP port 8080 and uses the default SRP nonce configuration is vulnerable. The issue was discovered in the configuration of the bridge’s SRP mechanism. There is no explicit version range listed, so all current releases that include the HomeKit feature should be treated as potentially affected.

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalogue. Since the vulnerability is network‑adjacent, an attacker only needs to be on the same local network as the bridge. The attack requires no authentication or privileged access, making it easy to execute from a compromised device or a rogue client in the home network. Exploitation would proceed by connecting to port 8080, initiating an SRP session, and sending the static nonce value to gain unauthorized control.