CVE-2021-27941

Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.6 MEDIUM
PHYSICAL
LOW
NONE
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Common Weakness Enumeration
References
https://apps.apple.com/us/app/ewelink-smart-home/id1035163158
https://github.com/salgio/eWeLink-QR-Code
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US
https://apps.apple.com/us/app/ewelink-smart-home/id1035163158
https://github.com/salgio/eWeLink-QR-Code
https://play.google.com/store/apps/details?id=com.coolkit&hl=en_US