Zigbee rejoin spoofing in Lumen mesh lighting
The Aurora bridge honors unauthenticated Zigbee rejoin requests, allowing an attacker to impersonate a dropped node and inject scene commands across a building's lighting mesh.
- Vendor
- Lumen Spaces
- Product
- Aurora mesh lighting bridge
- Severity
- Medium · CVSS 5.9
- Target
- Smart building
- Disclosed
- Status
- Fixed in bridge firmware 5.4
Overview
Aurora bridges manage Zigbee lighting meshes in commercial spaces. When a node drops, it can rejoin the network to resume operation.
The bridge accepts rejoin frames without verifying the device's install code, so any radio can claim a known short address and rejoin as that node.
Impact
An attacker can spoof a node and broadcast scene or power commands — flashing or blacking out floors of a building. While not life-safety rated, it disrupts occupancy and can mask physical intrusion.
Remediation
Firmware 5.4 enforces install-code verification on rejoin and logs anomalous address claims. Operators should rotate network keys after update.
Disclosure timeline
- Report filed with Lumen Spaces
- Vendor validates
- Firmware 5.4 and advisory released