CVE-2025-56400: Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Andro...
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.
Security readout for executives and security teams
Plain-English summary
This flaw can let an attacker trick a user into linking the attacker’s Amazon Alexa account to the user’s Tuya account. If successful, the attacker may gain Alexa-mediated access to Tuya-connected devices, including sensitive home or physical security devices.
Executive priority
Treat this as high priority where Tuya controls cameras, locks, alarms, or access-sensitive devices. The risk is account linking abuse leading to potential remote device control, but available sources do not confirm active exploitation.
Technical view
The issue is a CSRF-like OAuth account-linking flaw in Tuya SDK 6.5.0 for Android and iOS. The applications fail to validate the OAuth state parameter, allowing a crafted authorization link to complete account linking on the victim’s behalf after user interaction.
Likely exposure
Exposure applies to Tuya Smart, Smartlife, and third-party mobile applications integrating Tuya SDK 6.5.0, according to the CVE description. The source bundle does not provide complete CPEs, affected version ranges, or fixed versions.
Exploitation context
The CVE is not listed as KEV in the source bundle. Exploitation requires tricking a victim into clicking a crafted authorization link, but does not require prior Alexa linkage or the Tuya app to be active.
Researcher notes
The core weakness is missing OAuth state validation, mapped to CWE-352 and CWE-384. Public metadata gives a CVSS 3.1 score of 8.8. Evidence is incomplete on exact affected package identifiers, patched versions, and vendor mitigation details.
Mitigation direction
Review Tuya advisory for official remediation and fixed SDK guidance.
Inventory mobile apps using Tuya SDK 6.5.0 on Android or iOS.
Update affected Tuya SDK integrations when vendor-fixed versions are available.
Ask users to review and remove unexpected Alexa account links.
Monitor Tuya, Smartlife, and third-party app updates for security fixes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
2Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.