CVE-2023-6387 is a high-severity vulnerability identified in version 1.0 of the Gecko SDK (GSDK) provided by silabs.com, specifically affecting the Bluetooth Low Energy (LE) Host Controller Interface (HCI) Communication Protocol Controller (CPC) sample application. The vulnerability is classified as an out-of-bounds write (CWE-787), which is a type of buffer overflow where data is written outside the boundaries of allocated memory. This flaw can lead to memory corruption, potentially allowing an attacker to cause a denial of service (DoS) or execute arbitrary code remotely. The vulnerability arises from improper bounds checking in the handling of Bluetooth LE HCI CPC messages, which an attacker could exploit by sending specially crafted Bluetooth packets. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) shows that the attack requires adjacent network access (Bluetooth proximity), high attack complexity, no privileges or user interaction needed, and impacts confidentiality, integrity, and availability fully. Although no known exploits are currently reported in the wild, the potential for remote code execution makes this a significant risk, especially in environments where Bluetooth LE devices using this SDK are deployed. The vulnerability is present in a sample application, which may be used as a reference or base for custom implementations, increasing the risk if the vulnerable code is incorporated into production devices or systems.

For European organizations, the impact of CVE-2023-6387 can be substantial, particularly for industries relying on Bluetooth LE-enabled devices such as healthcare, manufacturing, smart home, and automotive sectors. Exploitation could lead to unauthorized access to sensitive data, disruption of critical services, or full compromise of affected devices, undermining operational continuity and data confidentiality. Given the proximity-based attack vector, attackers would need physical or near-physical access, which somewhat limits remote exploitation but does not eliminate risk in densely populated or public environments. The vulnerability could be leveraged to pivot into broader network attacks if compromised devices serve as gateways or have network connectivity. Additionally, the lack of patches at the time of publication increases exposure. European organizations with supply chains or products incorporating the Gecko SDK should be vigilant, as compromised devices could lead to regulatory non-compliance under GDPR due to data breaches or service interruptions.

Organizations should immediately identify any devices or products using the affected version (1.0) of the Gecko SDK, particularly those implementing the Bluetooth LE HCI CPC sample application or derivatives thereof. Since no official patches are currently available, mitigation should focus on minimizing exposure by restricting physical access to Bluetooth-enabled devices, disabling Bluetooth interfaces where not required, and monitoring Bluetooth traffic for anomalous or malformed packets indicative of exploitation attempts. Vendors and developers using the Gecko SDK should review their codebases for inclusion of the vulnerable sample application and apply manual code audits or implement bounds checking to prevent out-of-bounds writes. Network segmentation and strict access controls can limit the impact of compromised devices. Organizations should also maintain close communication with silabs.com for forthcoming patches and apply them promptly once released. Incorporating Bluetooth security best practices, such as using secure pairing methods and regularly updating device firmware, will further reduce risk.