🗓️ Live on June 17: The New Rules of Risk: EPSS v5 & Agentic Adversaries Register

Start Free Book Demo

Platform
- Exposure Management Platform
  Complete security visibility across IT, OT, IoT, cloud, mobile, and remote assets.
  
  Total Attack Surface Visibility
  
  Full-Spectrum Exposure Detection
  
  Risk Prioritization & Insights
  
  Compliance, Reporting, & KPIs
  
  Fast Deployment & Scalability
- Asset Fingerprinting & Contextualization
  runZero employs a multi-faceted approach to perform high-fidelity fingerprinting for IT, OT, and IoT assets – no agents or credentials required.
- Integrations
  runZero seamlessly integrates with a wide variety of tools, enhancing network visibility, enriching asset data, and uncovering control gaps.
- Community Edition
  Our completely free version of the runZero Platform is ideal for home use and environments with fewer than 100 assets.
Advanced toplogy, attack path mapping & deep OT intelligence!

With our latest release you can see exactly how an attacker could move through your network, allowing you to harden critical choke points and remediate exposures before they are exploited. Plus we expanded our OT telemetry to provide deep insights into the role and risk profile of every device.

Learn More
Solutions
- Solutions
  Gain visibility, control the unknowns, and ensure compliance with confidence.
  
  Incident Response
  
  Unmanaged & Unknowns
  
  Vulnerability Management
  
  Mergers & Acquisitions
  
  Compliance & Insurance
- Regulatory Compliance
  Ensure compliance and stay resilient against evolving cyber threats.
  
  CSRB
  
  DORA
  
  NIST CSF & 800-171
  
  NIS2
  
  NYDFS
  
  PCI DSS
Analyst Perspective: GigaOm 2026 Radar for OT Security

This new report evaluates security solutions designed specifically for industrial environments, focusing on purpose-built capabilities that can be safely deployed in fragile OT environments. runZero is positioned as a Challenger & Fast Mover in the Innovation/Platform Play quadrant. Read the report for GigaOm’s full take!

Read the Report
Resources
- Resource Center
  Dive into a treasure trove of resources to expand your exposure management knowledge.
  
  Reports
  
  Webcasts
  
  Solution Briefs
- runZero Research
  Explore the world of exposure management through the runZero lens.
  
  Research Blogs
  
  Rapid Responses
  
  runZero Hour
- runZero Blog
  See what's happening at runZero and read up on the latest ideas, opinions, and articles from our experts and researchers.
- Support Resources
  Everything you need to maximize your experience with the runZero Platform.
  
  Documentation
  
  REST API
  
  Open Source
Watch the runZero Day replay!

The inaugural runZero Day livestream was one for the books! From the inner workings of the CVE program and modern cyber journalism to the realities of OT security and the startup investment ecosystem, our wonderful guests helped us cover the trends that are defining our industry.

Watch the Replay
Customers
- Our Customers
  Our customers are everything. We're super proud to be trusted by leading organizations around the globe to help them improve their security.
- Case Studies
  See how runZero has empowered security teams to take control of their networks, uncover their unknowns, and save significant time and money.
  
  North Carolina K-12
  
  Topcon
  
  Capgemini
  
  Presidio
  
  York University
- Testimonials
  Read reviews of the runZero Platform and see how teams have improved their security with our technology.
Case Study: How runZero established North Carolina’s K–12 exposure management program

Learn how runZero became the foundation for exposure management across 343 North Carolina Public School Units.

Read the Case Study
Partners
- Infinity Partner Program
  See how we can work together to provide best-in-class security solutions and outcomes for our joint customers.
- Partner Directory
  Explore our directory of trusted (and awesome) partners.
- Partner Sign In
  Sign in to our Infinity Partner Portal.
Join our Infinity Partner Program

Designed with a partner-first mindset, the runZero Infinity Partner Program offers incredibly valuable resources, relationships, and rewards to partners who choose to grow their business with us.

Become a runZero Partner
About
- About Us
  Wondering who the heck are these people? Meet the team and get the story behind runZero... once upon a time called Rumble.
- Events
  Track down runZero Yetis in the wild! Join us in-person or virtually at one of our upcoming events.
- Investors
  Meet the cybersecurity investors, trailblazers, and innovators who help us navigate our journey and the evolving security landscape.
- Newsroom
  Read the latest articles, announcements, and press releases from runZero.
- Careers
  Want to join our forces? We're looking for bright minds and passionate souls who want to write the next chapter in exposure management.
Live Webcast: The New Rules of Risk: EPSS v5 & Agentic Adversaries

EPSS v5 is here! On this episode of runZero Hour, we're talking to special guest Stephen Shaffer, Co-Chair of the EPSS Special Interest Group, to explore the update. Join us and learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic adversary.

Register Now
Pricing
Support
Contact Us
Sign In

🗓️ Live on June 17: The New Rules of Risk: EPSS v5 & Agentic Adversaries Register

Exposure Management Platform
Complete security visibility across IT, OT, IoT, cloud, mobile, and remote assets.
Asset Fingerprinting & Contextualization
runZero employs a multi-faceted approach to perform high-fidelity fingerprinting for IT, OT, and IoT assets – no agents or credentials required.
Integrations
runZero seamlessly integrates with a wide variety of tools, enhancing network visibility, enriching asset data, and uncovering control gaps.
Community Edition
Our completely free version of the runZero Platform is ideal for home use and environments with fewer than 100 assets.

Advanced toplogy, attack path mapping & deep OT intelligence!

With our latest release you can see exactly how an attacker could move through your network, allowing you to harden critical choke points and remediate exposures before they are exploited. Plus we expanded our OT telemetry to provide deep insights into the role and risk profile of every device.

Learn More

Solutions
Gain visibility, control the unknowns, and ensure compliance with confidence.
Regulatory Compliance
Ensure compliance and stay resilient against evolving cyber threats.
- CSRB
- DORA
- NIST CSF & 800-171
- NIS2
- NYDFS
- PCI DSS

Analyst Perspective: GigaOm 2026 Radar for OT Security

This new report evaluates security solutions designed specifically for industrial environments, focusing on purpose-built capabilities that can be safely deployed in fragile OT environments. runZero is positioned as a Challenger & Fast Mover in the Innovation/Platform Play quadrant. Read the report for GigaOm’s full take!

Read the Report

Resource Center
Dive into a treasure trove of resources to expand your exposure management knowledge.
runZero Research
Explore the world of exposure management through the runZero lens.
runZero Blog
See what's happening at runZero and read up on the latest ideas, opinions, and articles from our experts and researchers.
Support Resources
Everything you need to maximize your experience with the runZero Platform.

Watch the runZero Day replay!

The inaugural runZero Day livestream was one for the books! From the inner workings of the CVE program and modern cyber journalism to the realities of OT security and the startup investment ecosystem, our wonderful guests helped us cover the trends that are defining our industry.

Watch the Replay

Our Customers
Our customers are everything. We're super proud to be trusted by leading organizations around the globe to help them improve their security.
Case Studies
See how runZero has empowered security teams to take control of their networks, uncover their unknowns, and save significant time and money.
Testimonials
Read reviews of the runZero Platform and see how teams have improved their security with our technology.

Case Study: How runZero established North Carolina’s K–12 exposure management program

Learn how runZero became the foundation for exposure management across 343 North Carolina Public School Units.

Read the Case Study

About Us
Wondering who the heck are these people? Meet the team and get the story behind runZero... once upon a time called Rumble.
Events
Track down runZero Yetis in the wild! Join us in-person or virtually at one of our upcoming events.
Investors
Meet the cybersecurity investors, trailblazers, and innovators who help us navigate our journey and the evolving security landscape.
Newsroom
Read the latest articles, announcements, and press releases from runZero.
Careers
Want to join our forces? We're looking for bright minds and passionate souls who want to write the next chapter in exposure management.

Live Webcast: The New Rules of Risk: EPSS v5 & Agentic Adversaries

EPSS v5 is here! On this episode of runZero Hour, we're talking to special guest Stephen Shaffer, Co-Chair of the EPSS Special Interest Group, to explore the update. Join us and learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic adversary.

Register Now

Infinity Partner Program
See how we can work together to provide best-in-class security solutions and outcomes for our joint customers.
Partner Directory
Explore our directory of trusted (and awesome) partners.
Partner Sign In
Sign in to our Infinity Partner Portal.

Join our Infinity Partner Program

Designed with a partner-first mindset, the runZero Infinity Partner Program offers incredibly valuable resources, relationships, and rewards to partners who choose to grow their business with us.

Become a runZero Partner

On This Page:

Executive summary
Technical details
Attacker value
Credit
Timeline

Aqara Board IoT insecure debug API

Vendors	Aqara
Products	Aqara Board service Aqara Board service
Related	CVE-2026-50085

Products

	Product
1	Aqara Board service

CVE

CVE-2026-50085

Executive summary #

The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices.

Technical details #

POST /board/downstream/api/debug accepts arbitrary MQTT command payloads and forwards them to the platform's HiveMQ broker (172.16.201.20) without authentication. The companion endpoint /board/downstream/panel/config/down shows the same behavior (code:0 on POST). The Board service runs as root per the Spring Boot Actuator output (operator-side finding) and exposes a websocket.no.auth = true flag enabling unauthenticated WebSocket connections at /board/ws.

Repro:

POST /board/downstream/api/debug HTTP/1.1
Host: 193.112.163.150
Content-Type: application/json

{"action":"query"}

→ HTTP 200, {"code":0,"message":"success"}

Further technical details for this issue can be found at https://github.com/xn0tsa/theres-no-place-like-home

Attacker value #

This is the final step of a four step chain involving the above-mentioned CVEs, culminating in direct device command surface for smart locks, cameras, hubs, sensors.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-13: Set of issues discovered by the researcher and outreach to the vendor initiated

2026-03-30: Researcher confirmed the vulnerability had been mitigated by the vendor

2026-03-30: Second outreach by the researcher

2026-04-08: Various findings and vulnerabilities remediated by the vendor

2026-04-20: Acknowledged the researcher's reporting

2026-04-20: The vendor stated this issue has been fixed

2026-06-12: This public disclosure (90 days from first contact)

For more details on specific findings and fixes, please see the researcher's website at https://github.com/xn0tsa/theres-no-place-like-home.

runZero CAASM

© Copyright 2026 runZero, Inc. All Rights Reserved