A newly disclosed vulnerability in the now-discontinued Amazon Cloud Cam has raised serious concerns about the risks of continuing to use unsupported smart home devices. Tracked as CVE-2025-6031 and rated CVSS 7.5 (High), the flaw allows attackers to intercept and modify network traffic by exploiting insecure device pairing mechanisms.
βWhen a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecatedβ¦ The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning,β Amazonβs advisory explains.
The Amazon Cloud Cam, once marketed as a reliable smart home security camera, was officially deprecated on December 2, 2022. As an end-of-life (EOL) product, it no longer receives updates or security support from Amazon.
βThis product was end of life as of December 2, 2022 and should not be used,β Amazon warns.
Despite its discontinued status, some users may still have Cloud Cams runningβoften unaware of the risks posed by abandoned backend infrastructure and outdated firmware.
When powered on, the Cloud Cam attempts to connect to Amazonβs now-defunct service infrastructure. Due to the lack of SSL pinning enforcement and fallback security, attackers on the same network can:
Bypass SSL pinningAssociate the device with an unauthorized networkIntercept unencrypted or weakly encrypted communicationsThis essentially turns the device into a network surveillance point, which is particularly alarming given its original purpose as a security camera.