🚀 runZero 4.9 is here: Map the unmappable. Secure every path. More
runZero CAASM

On This Page:

  1. Executive summary
  2. Technical details
  3. Attacker value
  4. Credit
  5. Timeline

Meari SDK hardcoded cryptographic keys

todb
|
Updated
Vendors Meari
Products
Meari IoT SDK (com.meari.sdk) (firmID=8)
  • Meari IoT SDK (com.meari.sdk) (firmID=8)
Related

Executive summary #

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys.

Because these static keys are recoverable from client binaries, trust decisions that depend on them are weak by design and can be replayed across brands and tenants that use the same SDK/backend model.

This is an instance of CWE-321: Use of Hard-coded Cryptographic Key, and has an estimated CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (8.6, High).

Technical details #

Further technical details can be found at the original disclosure, Nobody Puts Baby In A Corner.

Attacker value #

Hardcoded secrets provide durable attacker capability with low maintenance cost. They can support request forgery, unauthorized data access, and broad replay of trusted operations across the ecosystem. This CVE materially strengthens exploitation of other findings in this disclosure set, notably CVE-2026-33357, by supplying reusable signing context and reducing barriers to automated, large-scale abuse.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-11: Issues identified by the researcher, reviewed by runZero, and disclosed to vendor

2026-04-03: Opened VINCE Case VU#579666 with CISA for tracking

2026-April/May: Email comms between the vendor and the researcher, throughout April and May

2026-04-28: Researcher and runZero refined findings

2026-05-06: Confirmed findings and disclosure process with The Verge

2026-05-11: Public disclosure of CVE-2026-33356

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved