Philips Hue Bridge Vulnerability CVE-2026-3562 Allows Authentication Bypass via Ed25519 Signature Flaw
A vulnerability in the Philips Hue Bridge (CVE-2026-3562, CVSS 6.3) allows network-adjacent attackers to bypass authentication and execute arbitrary code via improper Ed25519 signature verification.
A critical authentication bypass vulnerability has been disclosed in the Philips Hue Bridge, the central hub for Philips smart lighting systems. Tracked as CVE-2026-3562 and assigned a CVSS score of 6.3, the flaw resides in the ed25519_sign_open function, which improperly verifies cryptographic signatures. This allows network-adjacent attackers to bypass authentication without any credentials, potentially leading to arbitrary code execution on the device.
The vulnerability was reported by Viettel Cyber Security as part of the Pwn2Own hacking competition, which incentivizes researchers to discover and disclose zero-day flaws in widely used products. The issue affects the Philips Hue Bridge, a device that connects smart bulbs and accessories to a home network and enables control via apps or voice assistants. Given the bridge's role as a central controller, a successful exploit could allow an attacker to take over the device, manipulate lighting, or pivot to other devices on the network.
Philips has released a fix in Bridge v2 Software version 1975170000, which users can obtain through the official Philips Hue release notes. The advisory, published by Zero Day Initiative (ZDI-26-160), notes that the vulnerability requires network adjacency, meaning an attacker must be on the same local network as the bridge. However, no authentication is needed, making it a significant risk for home and enterprise users who have not applied the patch.
The disclosure timeline shows that the vulnerability was reported to Philips on November 18, 2025, and coordinated public release occurred on March 6, 2026. This four-month window allowed Philips to develop and test the fix before public disclosure. Users are strongly advised to update their Hue Bridge firmware to the latest version to mitigate the risk.
This vulnerability highlights the growing importance of cryptographic implementation correctness in IoT devices. Ed25519 is a widely used elliptic curve signature scheme known for its security and performance, but improper verification can nullify its protections. The flaw serves as a reminder that even well-designed cryptographic primitives can be undermined by implementation errors. As smart home devices become more prevalent, ensuring robust security in their firmware is critical to prevent them from becoming entry points for attackers.