External risk intelligence

D3D Wi-Fi Security ZX-G12 RF Replay Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-65552

The vulnerability involves an RF replay attack on a 433 MHz sensor communication channel. This requires the attacker to be in physical proximity to the home security system to capture or replay radio frequency signals, making it impossible to reach via the public internet.

D3dsecurity Zx G12 Firmware

2.1.17

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The D3D Wi-Fi Home Security System ZX-G12 is affected by a vulnerability that allows an attacker to replay recorded signals to trigger false alarms. This issue stems from a lack of security measures like rolling codes or message authentication in the system's communication. While the technical impact can be severe, the primary concern is confirming if this specific system is deployed within the organization and if it's exposed to such radio frequency attacks.

  • Wireless signals can be replayed to trigger false alarms.
  • Confirms relevance and potential exposure to this threat.
  • Understand exposure and verify system presence.

Attack Path

How an attacker could exploit the issue

An attacker close to the D3D Wi-Fi Home Security System can record wireless signals used by the system's sensors and then replay those signals. This capability allows the attacker to trick the system into believing a sensor has been triggered, potentially causing false alarms.

  • Attacker must be within radio range.
  • Replay recorded wireless sensor signals.
  • Risk of false alarms and system disruption.

Live Threat

Current exploitation, exposure, and threat context

An attacker within radio frequency range could replay captured alarm or control signals to trigger false alarms on the D3D Wi-Fi Home Security System ZX-G12. This is possible because the system lacks protections against such replay attacks on its 433 MHz sensor communication channel.

  • Unauthorized system commands could be issued.
  • RF signals could be captured and replayed.
  • False alarms may be triggered.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects the D3D Wi-Fi Home Security System ZX-G12. Responsibility for addressing this issue likely falls to the system owner or the team managing IoT devices, with the first practical step being to identify all deployed ZX-G12 units, confirm their network exposure, and assess business criticality before planning remediation.

  • System owners are responsible for the issue.
  • Verify physical reachability and business impact.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the D3D Wi-Fi Home Security System ZX-G12?

The ZX-G12 is an IoT-based home security product from D3D Security that uses a central hub to manage wireless sensors. It is designed to monitor a home environment by communicating with peripheral devices like motion or door sensors over a 433 MHz radio frequency channel, rather than standard Wi-Fi, to provide residential alarm alerts.

What does CWE-294 mean for CVE-2025-65552?

This vulnerability is classified as CWE-294, which refers to 'Authentication Bypass by Capture-replay.' In the context of this CVE, it means the system lacks cryptographic protections such as rolling codes or message authentication. Because each signal sent by a sensor is static, an unauthorized party can record a legitimate transmission and send it again later to trick the system into reacting as if a new alarm event just occurred.

How does an attacker trigger this vulnerability?

An attacker triggers this by capturing legitimate radio signals emitted by the sensors when they are activated. The flaw is specifically tied to the 433 MHz sensor communication; it cannot be triggered by sending packets over the internet or through a standard Wi-Fi network connection, as the physical proximity required to intercept or broadcast radio signals on that specific frequency is a mandatory precondition.

Is my network at risk according to Halo Surface Signal?

Halo Surface Signal indicates that this threat is very unlikely for most network-focused environments. Because the vulnerability requires physical proximity to perform a radio frequency replay attack on the 433 MHz channel, the system cannot be attacked remotely over the public internet, meaning traditional network-based exposure is not the primary concern here.

How should I respond if I use the ZX-G12?

The first step is to locate all deployed ZX-G12 units within your physical premises. Once identified, evaluate the criticality of the areas these sensors protect. Since this is a hardware-level communication issue, discuss potential mitigations with the vendor, such as firmware updates or configuration changes, while assessing if the physical security of your sensor placement can be improved to limit unauthorized access to the radio range.

References