Amazon is warning customers to immediately stop using its discontinued Cloud Cam home security devices, following the disclosure of a critical security flaw that leaves the cameras vulnerable to remote hijacking and traffic manipulation.
The issue, tracked as CVE-2025-6031 and disclosed in a bulletin yesterday, relates to insecure device pairing on the now end-of-life Cloud Cam product. Discovered internally and published through Amazon’s own security advisory, the flaw emerges when users power on the deprecated camera. In doing so, the device attempts to connect to a backend infrastructure that was decommissioned after the product's official retirement in December 2022. In this state, the Cloud Cam enters a default pairing mode, allowing an attacker to bypass SSL pinning and reroute the device to an arbitrary network, enabling full interception and modification of its traffic.
Amazon has made clear there is no patch forthcoming, as the device has reached its end-of-life status. The company is instead advising customers to permanently discontinue use of any remaining Cloud Cam devices.
Launched in 2017, the Amazon Cloud Cam was part of the company’s push into smart home surveillance, often bundled with Alexa services and Amazon Key. Despite its deprecation, many users have continued to use these devices well beyond their official support window, largely due to their relatively long hardware lifespan and the absence of apparent functionality issues. However, the discovery of a security hole that enables arbitrary network control underscores the dangers of continuing to rely on unsupported IoT products.
This vulnerability presents particular risks in environments where Cloud Cam devices may still be connected to home networks or even office Wi-Fi setups. In such scenarios, attackers could theoretically eavesdrop on network communications, alter the firmware, or use the device as a pivot point for further intrusions.
Ongoing exposure of cameras
Recent findings by BitSight revealed that over 40,000 security cameras are accessible online without password protection. Their research identified thousands of exposed live video streams, many inadvertently broadcasting from homes, offices, and even data centers. BitSight’s findings underscore just how pervasive poor camera security practices remain across residential and enterprise deployments.
On a related development, CISA published an advisory for PTZOptics and other camera vendors, detailing multiple vulnerabilities including improper authentication, OS command injection, and use of hard-coded credentials. Devices from ValueHD, SMTAV, and multiCAM Systems were also listed as vulnerable.
Leave a Reply