Published:2025/07/29 Last Updated:2025/07/29
JVN#59585716
"SwitchBot" App vulnerable to insertion of sensitive information into log file
Overview
"SwitchBot" App provided by SwitchBot is vulnerable to insertion of sensitive information into log file.
Products Affected
- "SwitchBot" App for Android versions V6.24 through V9.12
- "SwitchBot" App for iOS versions V6.24 through V9.12
Description
"SwitchBot" App provided by SwitchBot contains the following vulnerability.
- Insertion of sensitive information into log file (CWE-532)
- CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.9
- CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 5.1
- CVE-2025-53649
Impact
Sensitive user information may be exposed to an attacker who has access to the application logs.
Solution
Update the App
Update the application to the latest version according to the information provided by the developer.
The vulnerability has been fixed in the following versions.
- Android App "SwitchBot" V9.13
- iOS App "SwitchBot" V9.13
Vendor Status
| Vendor | Link |
| SwitchBot | SwitchBot App Vulnerability Fix(Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Soh Satoh reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-53649 |
| JVN iPedia |
JVNDB-2025-000053 |