ID

VAR-202603-0956


CVE

CVE-2026-3562


TITLE

philips' Hue Bridge V2  Firmware Digital Signature Verification Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2026-013577

DESCRIPTION

Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ed25519_sign_open function. The issue results from improper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28480. ZDI-CAN-28480 It has been reported as.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software may stop working completely

Trust: 2.25

sources: NVD: CVE-2026-3562 // JVNDB: JVNDB-2026-013577 // ZDI: ZDI-26-160

AFFECTED PRODUCTS

vendor:philipsmodel:hue bridge v2scope:ltversion:1975170000

Trust: 1.0

vendor:フィリップスmodel:hue bridge v2scope:eqversion:hue bridge v2 firmware 1975170000

Trust: 0.8

vendor:フィリップスmodel:hue bridge v2scope:eqversion: -

Trust: 0.8

vendor:フィリップスmodel:hue bridge v2scope: - version: -

Trust: 0.8

vendor:philipsmodel:hue bridgescope: - version: -

Trust: 0.7

sources: ZDI: ZDI-26-160 // JVNDB: JVNDB-2026-013577 // NVD: CVE-2026-3562

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2026-3562
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2026-3562
value: HIGH

Trust: 1.0

NVD: CVE-2026-3562
value: HIGH

Trust: 0.8

ZDI: CVE-2026-3562
value: MEDIUM

Trust: 0.7

zdi-disclosures@trendmicro.com: CVE-2026-3562
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.0

Trust: 1.0

nvd@nist.gov: CVE-2026-3562
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2026-3562
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2026-3562
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-26-160 // JVNDB: JVNDB-2026-013577 // NVD: CVE-2026-3562 // NVD: CVE-2026-3562

PROBLEMTYPE DATA

problemtype:CWE-347

Trust: 1.0

problemtype:Improper verification of digital signatures (CWE-347) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-013577 // NVD: CVE-2026-3562

PATCH

title:ZDI-26-160 | Zero Day Initiativeurl:https://www.zerodayinitiative.com/advisories/ZDI-26-160/

Trust: 0.8

title:Fixed in Bridge v2 Software version 1975170000url:https://www.philips-hue.com/en-ca/support/release-notes/bridge

Trust: 0.7

sources: ZDI: ZDI-26-160 // JVNDB: JVNDB-2026-013577

EXTERNAL IDS

db:NVDid:CVE-2026-3562

Trust: 3.3

db:ZDIid:ZDI-26-160

Trust: 1.7

db:JVNDBid:JVNDB-2026-013577

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-28480

Trust: 0.7

sources: ZDI: ZDI-26-160 // JVNDB: JVNDB-2026-013577 // NVD: CVE-2026-3562

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-26-160/

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-3562

Trust: 0.8

url:https://www.philips-hue.com/en-ca/support/release-notes/bridge

Trust: 0.7

sources: ZDI: ZDI-26-160 // JVNDB: JVNDB-2026-013577 // NVD: CVE-2026-3562

CREDITS

Viettel Cyber Security

Trust: 0.7

sources: ZDI: ZDI-26-160

SOURCES

db:ZDIid:ZDI-26-160
db:JVNDBid:JVNDB-2026-013577
db:NVDid:CVE-2026-3562

LAST UPDATE DATE

2026-06-19T23:15:15.102000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-26-160date:2026-03-06T00:00:00
db:JVNDBid:JVNDB-2026-013577date:2026-04-30T03:29:00
db:NVDid:CVE-2026-3562date:2026-04-27T14:28:53.410

SOURCES RELEASE DATE

db:ZDIid:ZDI-26-160date:2026-03-06T00:00:00
db:JVNDBid:JVNDB-2026-013577date:2026-04-30T00:00:00
db:NVDid:CVE-2026-3562date:2026-03-16T14:19:52.337