CVE-2025-7202 - Vulnerability Details - OpenCVE

A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Elgato	Key Light Light Strip Ring Light

No data.

No data.

References

Link	Providers
https://www.toreon.com/flashing-your-lights-cve-2025-7202/

History

Thu, 07 Aug 2025 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elgato Elgato key Light Elgato light Strip Elgato ring Light
Vendors & Products		Elgato Elgato key Light Elgato light Strip Elgato ring Light

Wed, 06 Aug 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 Aug 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.
Title		Cross-Site Request Forgery (CSRF) allowed remote control of Elgato Key Lights
Weaknesses		CWE-352
References		https://www.toreon.com/flashing-your-lights-cve-2025-7202/
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Toreon

Published: 2025-08-06T08:28:23.397Z

Updated: 2025-08-06T20:23:30.776Z

Reserved: 2025-07-07T09:57:43.476Z

Link: CVE-2025-7202

Vulnrichment

Updated: 2025-08-06T20:23:27.365Z

NVD

Status : Awaiting Analysis

Published: 2025-08-06T09:15:27.950

Modified: 2025-08-06T20:23:37.600

Link: CVE-2025-7202

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7202", "assignerOrgId": "1c6b5737-9389-4011-8117-89fa251edfb2", "state": "PUBLISHED", "assignerShortName": "Toreon", "dateReserved": "2025-07-07T09:57:43.476Z", "datePublished": "2025-08-06T08:28:23.397Z", "dateUpdated": "2025-08-06T20:23:30.776Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Key Light", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.3(218)", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Key Light Air", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.3.220", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Key Light Mini", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.4.239", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Key Light Neo", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.4.206", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Ring Light", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.4.149", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Light Strip", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.4.231", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Light Strip Pro", "vendor": "Elgato", "versions": [{"lessThanOrEqual": "1.0.1.145", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights."}], "value": "A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1c6b5737-9389-4011-8117-89fa251edfb2", "shortName": "Toreon", "dateUpdated": "2025-08-06T08:29:42.843Z"}, "references": [{"url": "https://www.toreon.com/flashing-your-lights-cve-2025-7202/"}], "source": {"discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery (CSRF) allowed remote control of Elgato Key Lights", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T20:23:21.907796Z", "id": "CVE-2025-7202", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T20:23:30.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-06T20:23:21.907796Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T20:23:27.365Z"}}], "cna": {"title": "Cross-Site Request Forgery (CSRF) allowed remote control of Elgato Key Lights", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elgato", "product": "Key Light", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.3(218)"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Key Light Air", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.3.220"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Key Light Mini", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.4.239"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Key Light Neo", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.4.206"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Ring Light", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.4.149"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Light Strip", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.4.231"}], "defaultStatus": "unaffected"}, {"vendor": "Elgato", "product": "Light Strip Pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.1.145"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.toreon.com/flashing-your-lights-cve-2025-7202/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.", "supportingMedia": [{"type": "text/html", "value": "A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1c6b5737-9389-4011-8117-89fa251edfb2", "shortName": "Toreon", "dateUpdated": "2025-08-06T08:29:42.843Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7202", "state": "PUBLISHED", "dateUpdated": "2025-08-06T20:23:30.776Z", "dateReserved": "2025-07-07T09:57:43.476Z", "assignerOrgId": "1c6b5737-9389-4011-8117-89fa251edfb2", "datePublished": "2025-08-06T08:28:23.397Z", "assignerShortName": "Toreon"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights."}, {"lang": "es", "value": "Cross-Site Request Forgery (CSRF) en Elgato's Key Lights y productos de iluminaci\u00f3n relacionados permite a un atacante alojar una p\u00e1gina web maliciosa que controla de forma remota las luces de la v\u00edctima."}], "id": "CVE-2025-7202", "lastModified": "2025-08-06T20:23:37.600", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "1c6b5737-9389-4011-8117-89fa251edfb2", "type": "Secondary"}]}, "published": "2025-08-06T09:15:27.950", "references": [{"source": "1c6b5737-9389-4011-8117-89fa251edfb2", "url": "https://www.toreon.com/flashing-your-lights-cve-2025-7202/"}], "sourceIdentifier": "1c6b5737-9389-4011-8117-89fa251edfb2", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "1c6b5737-9389-4011-8117-89fa251edfb2", "type": "Secondary"}]}