CVE-2026-3559 in Hue Bridge
Summary
by MITRE • 03/16/2026
Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the configuration of the SRP authentication mechanism in the HomeKit Accessory Protocol service, which listens on TCP port 8080 by default. The issue results from the use of a static nonce value. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28451.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/31/2026
The Philips Hue Bridge represents a widely deployed smart home ecosystem that integrates with Apple's HomeKit platform through the HomeKit Accessory Protocol. This vulnerability specifically targets the authentication mechanism implemented within the bridge's HomeKit service, which operates on TCP port 8080 and serves as a critical gateway for smart home device management. The flaw resides in the Secure Remote Password (SRP) authentication framework that Apple employs for HomeKit accessories, creating a fundamental security weakness that undermines the entire authentication process. The vulnerability was identified as ZDI-CAN-28451 and demonstrates a critical failure in implementing secure cryptographic protocols for home automation systems.
The technical root cause of this vulnerability stems from the implementation of a static nonce value within the SRP authentication mechanism. In proper SRP implementations, nonces should be cryptographically random values generated for each authentication session to prevent replay attacks and ensure session uniqueness. However, the Philips Hue Bridge uses a hardcoded or predictable nonce value, which fundamentally compromises the security properties of the authentication protocol. This static nonce eliminates the cryptographic guarantees that SRP provides, allowing attackers to bypass the entire authentication process without requiring valid credentials or knowledge of the system's secrets.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass complete control over the affected Philips Hue Bridge installations. Network-adjacent attackers who can reach the device through TCP port 8080 can exploit this vulnerability without any authentication requirements, effectively granting them full administrative access to the smart home ecosystem. This access enables attackers to modify device configurations, add malicious accessories, control lighting and other connected devices, and potentially use the bridge as a pivot point for attacking other devices within the local network. The vulnerability affects the core security model of the HomeKit platform, undermining user trust in the security of their smart home environments.
Security practitioners should implement immediate mitigations including network segmentation to restrict access to port 8080, firewall rules to block external access to the bridge's management interface, and regular firmware updates from Philips to address the vulnerability. The flaw aligns with CWE-310, which describes cryptographic issues related to improper use of cryptographic primitives, and represents a significant concern under ATT&CK technique T1071.004 for application layer protocol usage. Organizations should also consider implementing network monitoring to detect unusual traffic patterns on port 8080 and ensure that all HomeKit accessories are properly configured with strong authentication mechanisms to prevent similar vulnerabilities from compromising their smart home infrastructures.