Dreame Technology iOS and Android Mobile Applications

MonitorCVSS 7.3ICS-CERT ICSA-25-219-06Aug 7, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Dreame Technology's Dreamehome iOS app (≤2.3.4) and Android app (≤2.1.8.8), and MOVA's MOVAhome iOS app (≤1.2.3) fail to properly validate SSL/TLS certificates when communicating with backend servers. This allows an attacker on the same local network to intercept and decrypt communications without detection, potentially exposing user credentials and sensitive home automation configuration data.

What this means

What could happen

An attacker on the same local network could intercept unencrypted communications between the Dreame/MOVA mobile app and its backend services, stealing user credentials, home automation settings, or sensitive device configuration data.

Who's at risk

Home automation and smart home users with iOS or Android devices running Dreame Technology's Dreamehome app or MOVA's MOVAhome app. This affects individuals and small organizations using Dreame smart home products (smart locks, thermostats, cameras, lighting, etc.).

How it could be exploited

An attacker must be on the same local network (WiFi or Ethernet) as the device running the vulnerable mobile app. They can perform a man-in-the-middle attack by intercepting unencrypted traffic between the app and Dreame/MOVA servers, capturing credentials or sensitive data without being detected.

Prerequisites

Attacker must be on the same local network as the device running the vulnerable app (same WiFi network or local network segment)
User interaction required: the user must open and use the Dreame/MOVA app while the attacker is positioned on the network

No patch available from vendorMan-in-the-middle attack vector on local networksUser credentials and sensitive home automation configuration at riskAffects mobile devices managing critical smart home security devices (locks, cameras)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Dreamehome iOS app: <=2.3.4≤ 2.3.4No fix yet

Dreamehome Android app: <=2.1.8.8≤ 2.1.8.8No fix yet

MOVAhome iOS app: <=1.2.3≤ 1.2.3No fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDo not download or use the Dreamehome iOS app (version 2.3.4 or earlier) or Dreamehome Android app (version 2.1.8.8 or earlier) until a patched version is released by Dreame Technology

WORKAROUNDDo not download or use the MOVAhome iOS app (version 1.2.3 or earlier) until a patched version is released

WORKAROUNDIf these apps are currently installed, uninstall them or restrict their use to trusted networks only

Long-term hardening

0/2

HARDENINGWhen remote access to home automation is required, use a VPN to encrypt traffic between your mobile device and your home network

HARDENINGContact Dreame Technology directly to request security patches for these vulnerable applications

CVEs (1)

CVE-2025-8393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b48306f2-e0ed-4581-b92e-d75b3e4d3252

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.