CVE-2025-62235 Overview
CVE-2025-62235 is an Authentication Bypass by Spoofing vulnerability affecting Apache NimBLE, the open-source Bluetooth Low Energy (BLE) stack. The vulnerability exists in the Security Manager Protocol (SMP) implementation and allows an attacker to send specially crafted Security Request packets that can remove legitimate device bonds and establish new bonds with an impostor device. This attack targets the core pairing mechanism of BLE devices, potentially allowing unauthorized access to protected Bluetooth services.
Critical Impact
An adjacent network attacker can exploit this vulnerability to bypass Bluetooth authentication, remove existing device bonds, and impersonate legitimate paired devices without user interaction. This could lead to complete compromise of confidentiality and integrity for BLE communications.
Affected Products
- Apache NimBLE through version 1.8.0
- Devices and applications using the Apache NimBLE Bluetooth stack
- IoT and embedded systems implementing NimBLE for BLE connectivity
Discovery Timeline
- 2026-01-10 - CVE CVE-2025-62235 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-62235
Vulnerability Analysis
The vulnerability resides in the ble_sm_sec_req_rx() function within nimble/host/src/ble_sm.c, which handles incoming SMP Security Request packets. The flawed implementation inadequately validates incoming Security Requests, allowing an attacker in adjacent network range to send malicious packets that trigger the removal of existing device bonds. Once the legitimate bond is removed, the attacker can initiate a new pairing process, effectively impersonating the original bonded device.
This authentication bypass falls under CWE-290 (Authentication Bypass by Spoofing), where the system fails to properly authenticate the source of a security-critical request. The vulnerability requires adjacent network access, meaning the attacker must be within Bluetooth radio range of the target device.
Root Cause
The root cause is improper handling of SMP Security Request messages in the NimBLE host stack. The original implementation did not adequately track security state or validate the legitimacy of pairing requests when a bond already existed. The vulnerable code path allowed Security Requests to override existing bonds without proper verification of the requesting party's identity, enabling bond removal and re-pairing with an impostor.
Attack Vector
The attack leverages adjacent network access via Bluetooth radio communications. An attacker within Bluetooth range can:
- Monitor BLE traffic to identify bonded device connections
- Send a specially crafted SMP Security Request packet to the target device
- Trigger removal of the legitimate bond between paired devices
- Initiate a new pairing procedure to establish a bond with the impostor device
- Gain unauthorized access to protected BLE services and data
No user interaction is required, and the attacker does not need prior privileges on the target system.
ble_sm_sec_req_rx(uint16_t conn_handle, struct os_mbuf **om,
struct ble_sm_result *res)
{
+ struct ble_gap_sec_state bhc_sec_state;
struct ble_store_value_sec value_sec;
struct ble_store_key_sec key_sec;
struct ble_hs_conn_addrs addrs;
struct ble_sm_sec_req *cmd;
struct ble_hs_conn *conn;
- int authreq_mitm;
+ bool start_pairing = false;
+ bool authreq_mitm;
+ bool authreq_lesc;
res->app_status = ble_hs_mbuf_pullup_base(om, sizeof(*cmd));
if (res->app_status != 0) {
Source: GitHub Commit Update
Detection Methods for CVE-2025-62235
Indicators of Compromise
- Unexpected Bluetooth re-pairing requests or bond removal events on devices running NimBLE
- Multiple SMP Security Request packets from unknown or suspicious Bluetooth addresses
- Logs showing device bond deletions followed by new pairing procedures
- Anomalous Bluetooth connection patterns with previously bonded devices
Detection Strategies
- Implement Bluetooth protocol monitoring to detect unusual SMP Security Request activity
- Enable verbose logging on NimBLE devices to capture bond management events
- Monitor for rapid sequences of bond removal and re-pairing operations
- Deploy network-level Bluetooth intrusion detection systems in sensitive environments
Monitoring Recommendations
- Audit NimBLE version across all deployed IoT and embedded devices
- Establish baseline Bluetooth pairing behavior and alert on deviations
- Review device bond tables periodically for unauthorized entries
- Implement alerting for unexpected bond removal events in device logs
How to Mitigate CVE-2025-62235
Immediate Actions Required
- Upgrade Apache NimBLE to version 1.9.0 or later on all affected devices
- Audit firmware of IoT and embedded devices using NimBLE for vulnerable versions
- Consider temporarily disabling Bluetooth functionality on critical systems until patching is complete
- Review and validate existing device bonds after applying the patch
Patch Information
Apache has released version 1.9.0 of NimBLE which addresses this vulnerability by improving SMP Security Request handling. The fix introduces proper security state tracking via bhc_sec_state and adds explicit control over pairing initiation with the start_pairing boolean flag. Users should upgrade to this version to remediate the vulnerability. The security patch is available through the GitHub Commit Update.
For additional information, refer to the Apache Mailing List Thread and the Openwall OSS-Security Discussion.
Workarounds
- Limit Bluetooth discoverability and connectivity to trusted environments only
- Implement application-layer authentication in addition to BLE bonding
- Use physical proximity verification before accepting new Bluetooth pairings
- Deploy network segmentation to isolate Bluetooth-enabled devices from critical systems
# Configuration example
# Verify NimBLE version in your project dependencies
grep -r "mynewt-nimble" project.yml
# Update to patched version 1.9.0
# In project.yml or package configuration:
# mynewt-nimble: "^1.9.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
