CVE-2019-18980 — HIGH (7.5)

Vulnerability Description

On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The only requirement is that the attacker have network access to the bulb.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Philips	Taolight Smart Wi-Fi Wiz Connected Led Bulb 9290022656 Firmware	-
Philips	Taolight Smart Wi-Fi Wiz Connected Led Bulb 9290022656	-

Related Weaknesses (CWE)

CWE-306 CWE-311

References

https://blog.dammitly.net/2019/10/cheap-hackable-wifi-light-bulbs-or-iot.htmlExploitThird Party Advisory
https://blog.dammitly.net/2019/10/cheap-hackable-wifi-light-bulbs-or-iot.htmlExploitThird Party Advisory

FAQ

What is CVE-2019-18980?

CVE-2019-18980 is a vulnerability with a CVSS score of 7.5 (HIGH). On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its ...

How severe is CVE-2019-18980?

CVE-2019-18980 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18980?

Check the references section above for vendor advisories and patch information. Affected products include: Philips Taolight Smart Wi-Fi Wiz Connected Led Bulb 9290022656 Firmware, Philips Taolight Smart Wi-Fi Wiz Connected Led Bulb 9290022656.