CVE-2025-7202
Description
A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Elgato Key Lights allows an attacker to control the victim's lights via a malicious webpage.
The Elgato Key Lights contain a Cross-Site Request Forgery (CSRF) vulnerability because HTTP requests to the light's internal web server lack anti-CSRF tokens or origin validation [1]. This allows an attacker to perform actions on the device without the user's consent.
An attacker can exploit this by hosting a malicious webpage that, when visited by a victim on the same local network, sends crafted HTTP requests to the light's IP address. The requests can change the light's state, such as turning it on or off, or adjusting brightness and color [1]. No authentication is required beyond network access.
Successful exploitation gives the attacker full control over the lights, potentially causing disruption or annoyance. The impact is limited to control of the lighting device; no further network compromise is indicated [1].
Users should verify they are running the latest firmware for their Elgato Key Light products. Applying vendor updates can prevent this CSRF attack [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.