Philips Hue Bridge models 2.x running older firmware are vulnerable to hacking. Once the Hue Bridge has been hacked, attackers will get access to your home network and be able to attack or otherwise interact with other devices on your network.
How bad is this?
This is a severe risk that makes it possible for attackers to install malware on the bridge and use known exploits to infiltrate your network to spread ransomware or spyware.
Am I affected?
You are affected if you own and use the Philips Hue Bridge model 2.X running firmware before and including version 1935144020.
How can I address this risk?
Make sure you update your Philips Hue to the latest version. Here’s how to check if your Philips Hue is up-to-date.
- On your Android or iOS phone or tablet, open the Philips Hue app.
- On the bottom panel, click the Settings tab.
- Scroll down, then tap Software update.
- If your hardware (Bridge or bulb) is in need of an update, the app will notify you with a solid green bubble. Click it, then select Update.
- On the same page, enable the Automatic Update to ensure you always have the latest firmware.
Details
| Affected Device | Philips Hue Bridge 2.x |
| Affected Firmware Version | 1935144020 or below |
| Vulnerability Identifier | CVE-2020-6007 |
| Vulnerability Description | The affected versions of the Hue Bridge firmware contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution. |