Notified: September 09, 2014 Updated: August 27, 2015
Statement Date: August 26, 2015
The CERT/CC reached out to Philips Electronics after originally discovering the vulnerability in the Philips Hue product, which utilizes lwIP for its TCP/IP stack. Philips provided the following response: "This issue has been investigated. Application-layer authentication prevents exploitation affecting confidentiality or integrity of Hue communication, data, firmware updates, etc. Hue Bridge software update 01018228 that fixes this issue is available since December 2014. Users can upgrade via the Hue app."
We are not aware of further vendor information regarding this vulnerability.