CVE-2025-8393

Dreame Technology iOS and Android Mobile Applications Improper Certificate Validation

Description

A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.

Remediation

Workaround:

  • Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology.

Category

8.5
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.01%
Affected: Dreame Technology Dreamehome iOS app
Affected: Dreame Technology Dreamehome Android app
Affected: Dreame Technology MOVAhome iOS app
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06
https://support.dreametech.com/hc/en-us

Frequently Asked Questions

What is the severity of CVE-2025-8393?
CVE-2025-8393 has been scored as a high severity vulnerability.
How to fix CVE-2025-8393?
As a workaround for remediating CVE-2025-8393: Dreame Technology did not respond to CISA's request for coordination. Contact Dreame Technology https://support.dreametech.com/hc/en-us directly for more information. Note that MOVA is a subsidiary of Dreame Technology.
Is CVE-2025-8393 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-8393 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-8393?
CVE-2025-8393 affects Dreame Technology Dreamehome iOS app, Dreame Technology Dreamehome Android app, Dreame Technology MOVAhome iOS app.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.