CVE-2025-15474: AuntyFey Smart Lock DoS Vulnerability

CVE-2025-15474 Overview

CVE-2025-15474 is a Denial of Service (DoS) vulnerability affecting AuntyFey Smart Combination Lock firmware. The vulnerability allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device.

This IoT firmware vulnerability represents a significant risk for physical security devices that rely on wireless connectivity, as it can be exploited without any authentication to render the lock unusable.

Critical Impact

Attackers within BLE range can prevent legitimate users from accessing secured areas by forcing the smart lock into continuous lockout states through connection flooding.

Affected Products

• AuntyFey Smart Combination Lock (firmware versions as of 2025-12-24)

Discovery Timeline

• 2026-01-07 - CVE CVE-2025-15474 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-15474

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The AuntyFey Smart Combination Lock fails to implement proper rate limiting or connection management for incoming BLE connection requests. When an attacker floods the device with connection attempts, the lock's firmware cannot adequately handle the resource demands, causing the keypad authentication system to become unresponsive and triggering repeated lockout states.

The vulnerability requires the attacker to be within BLE range (typically 10-100 meters depending on environmental factors), but requires no authentication or special privileges to exploit. The impact is limited to availability—the attacker cannot gain unauthorized access to unlock the device, but can effectively deny service to legitimate users.

Root Cause

The root cause is improper resource allocation handling in the BLE connection management subsystem. The firmware lacks mechanisms to throttle or limit incoming connection requests, allowing an attacker to exhaust the device's limited processing resources. This design flaw is common in IoT devices with constrained computing resources that prioritize connectivity over security controls.

Attack Vector

The attack requires adjacent network access (specifically BLE proximity). An attacker positions themselves within BLE range of the target lock and uses commodity hardware to initiate rapid, repeated connection requests to the device. Each connection attempt consumes device resources and interrupts the normal keypad authentication workflow. By sustaining this connection flood, the attacker can maintain the lock in an unusable state indefinitely.

The vulnerability mechanism operates as follows: when the smart lock receives BLE connection requests faster than it can process them, the device's limited processing capacity becomes overwhelmed. The keypad input handler becomes unresponsive during connection processing, and the firmware's security logic interprets the resulting authentication failures as potential attack attempts, triggering lockout states designed to prevent brute-force attacks on the keypad code.

Technical details and a proof-of-concept implementation are available in the GitHub DoS Exploit Repository. Additional vulnerability information can be found in the VulnCheck Security Advisory.

Detection Methods for CVE-2025-15474

Indicators of Compromise

• Unusual number of BLE connection attempts to the smart lock in a short time period
• Lock repeatedly entering lockout state without corresponding failed PIN attempts by users
• Users reporting inability to unlock the device despite entering correct credentials
• BLE traffic analysis showing connection flood patterns from a single source

Detection Strategies

• Monitor BLE traffic for anomalous connection request volumes targeting smart lock devices
• Implement logging and alerting for repeated lockout events on IoT access control devices
• Deploy BLE intrusion detection systems capable of identifying connection flooding attacks
• Correlate physical access logs with electronic lock status to identify potential DoS events

Monitoring Recommendations

• Establish baseline BLE traffic patterns for normal smart lock operation
• Configure alerts for lockout events that exceed normal thresholds
• Implement physical security monitoring (cameras) to correlate electronic anomalies with physical observations
• Consider network segmentation for IoT devices to improve visibility and control

How to Mitigate CVE-2025-15474

Immediate Actions Required

• Assess exposure by identifying all AuntyFey Smart Combination Lock devices in your environment
• Evaluate the physical security posture around affected locks—consider supplementary physical security measures
• Monitor the VulnCheck Security Advisory for vendor patch announcements
• Consider temporary replacement with non-BLE dependent locks for high-security applications

Patch Information

No vendor patch is currently available for this vulnerability. The product listing should be monitored for firmware update announcements. Users are advised to contact the vendor directly for remediation timeline information.

Workarounds

• Deploy secondary physical locking mechanisms as backup access controls
• Implement physical surveillance around affected locks to detect potential attackers in proximity
• Consider using BLE signal shielding or directional antennas to reduce the attack surface
• For critical applications, replace affected devices with locks that have demonstrated resilience to BLE flooding attacks

Until a vendor patch is available, physical security controls and monitoring represent the primary mitigation strategy for this vulnerability. Organizations should conduct a risk assessment to determine if continued use of the affected devices is acceptable given their specific security requirements.