The vulnerability identified as CVE-2025-15474 affects the AuntyFey Smart Combination Lock firmware versions current as of December 24, 2025. The core issue is an allocation of resources without limits or throttling (CWE-770) in the device's handling of Bluetooth Low Energy (BLE) connections. An unauthenticated attacker within BLE range can repeatedly initiate connection attempts to the lock. These sustained connection attempts interfere with the lock's keypad authentication process by forcing the device into repeated lockout states. This effectively denies legitimate users the ability to unlock the device, resulting in a denial of service (DoS) condition. The attack vector is local (adjacent network), requiring no privileges or user interaction, which lowers the barrier for exploitation. The vulnerability does not impact confidentiality or integrity but severely affects availability. The CVSS 4.0 vector indicates low attack complexity and no required authentication, but the attack scope is limited to the local environment. No patches or exploits are currently known, but the lack of resource throttling in BLE connection handling is a fundamental design flaw. This vulnerability could be exploited in scenarios where physical access control is critical, such as in offices, residential buildings, or secure storage areas using these smart locks. The absence of firmware patches at the time of reporting means that affected devices remain vulnerable until updates are issued by the vendor.

For European organizations, the primary impact of CVE-2025-15474 is operational disruption due to denial of service on physical access controls. Facilities relying on AuntyFey Smart Combination Locks could experience lockouts, preventing employees or authorized personnel from accessing secured areas. This can lead to productivity losses, emergency response delays, and potential safety hazards if critical areas become inaccessible. In sectors such as healthcare, finance, or government, where physical security is tightly integrated with operational continuity, such disruptions could have cascading effects. Additionally, repeated lockouts may necessitate costly manual overrides or lock replacements. The vulnerability does not expose sensitive data or allow unauthorized access, but the availability impact alone can be significant. European organizations with dense deployments of BLE-enabled smart locks are at higher risk, especially if they lack monitoring or rapid incident response capabilities. The lack of known exploits reduces immediate risk, but the ease of exploitation and local attack vector mean attackers could leverage this vulnerability opportunistically in targeted scenarios.

To mitigate CVE-2025-15474, organizations should prioritize obtaining and applying firmware updates from AuntyFey that implement connection throttling and resource allocation limits for BLE connections. Until patches are available, physical security teams should monitor for unusual BLE activity near lock installations using BLE scanning tools to detect repeated connection attempts. Deploying BLE jamming or signal shielding in sensitive areas can reduce attack surface but must comply with local regulations. Implementing multi-factor physical access controls, such as combining smart locks with biometric or RFID authentication, can reduce reliance on vulnerable devices alone. Training staff to recognize and report lockout incidents promptly will aid in rapid response. Incident response plans should include procedures for manual override or emergency access to affected locks. Vendors should be engaged to accelerate patch development and provide guidance on secure configurations. Network segmentation of BLE management infrastructure and logging of lock events can help detect and analyze attack attempts. Finally, organizations should evaluate alternative smart lock solutions with proven resilience against resource exhaustion attacks.