We found and responsibly disclosed vulnerabilities in the Nanoleaf desktop app. After an extensive research period we found several critical vulnerabilities in their desktop application to manage their IoT devices. The most severe vulnerability was an unauthenticated remote code execution vulnerability, which allowed an attacker to take over the device running the application by sending an network packet. Considering the possibly major impact of this vulnerability, we followed a very strict vulnerability disclosure protocol.
The vulnerability got dubbed as CVE-2022-46640 with a rating of 9.8/10 (critical) by NIST. The exact vector of the vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.