CVE-2022-25809
moderate-risk
Published 2022-02-24
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an "Alexa versus Alexa (AvA)" attack.
Do I need to act?
~
7.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Echo Dot Firmware
Affected Vendors
References (2)
Exploit
https://arxiv.org/abs/2202.08619
Exploit
https://arxiv.org/abs/2202.08619
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal