CVE-2025-8393

Summary

A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.

Affected Software

VendorProductVersion RangeStatus
Dreame TechnologyDreamehome iOS app0 <= 2.3.4affected
Dreame TechnologyDreamehome Android app0 <= 2.1.8.8affected
Dreame TechnologyMOVAhome iOS app0 <= 1.2.3affected

Weaknesses

  • CWE-295: CWE-295

Workarounds

Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References