CVE-2025-52435 is a vulnerability classified under CWE-5 (J2EE Misconfiguration) affecting Apache Mynewt NimBLE versions up to 1.8.0. NimBLE is an open-source Bluetooth Low Energy (BLE) stack used in embedded and IoT devices. The vulnerability arises from improper handling of the Pause Encryption procedure at the Link Layer, which is part of the BLE protocol responsible for securing data transmissions. Specifically, when the Pause Encryption procedure is invoked, the connection that was previously encrypted can be left in an unencrypted state unintentionally. This misconfiguration allows an attacker within radio range to eavesdrop on the BLE communication after encryption has been paused, exposing sensitive data transmitted over the connection. The vulnerability is remotely exploitable without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation and the high impact on confidentiality, while integrity and availability remain unaffected. The issue was publicly disclosed on January 10, 2026, and fixed in Apache NimBLE version 1.9.0. No known exploits are currently reported in the wild. This vulnerability primarily affects embedded systems and IoT devices that rely on Apache NimBLE for BLE communications, including medical devices, industrial sensors, and consumer electronics.

For European organizations, the impact of CVE-2025-52435 is significant in sectors relying heavily on BLE-enabled IoT devices, such as healthcare, manufacturing, smart cities, and consumer electronics. The exposure of sensitive data through unencrypted BLE transmissions can lead to breaches of personal data, intellectual property theft, and loss of customer trust. In healthcare, compromised medical device communications could endanger patient safety and violate GDPR requirements for data protection. Industrial environments using BLE sensors for monitoring and control could face operational risks if sensitive telemetry is intercepted. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone can have severe regulatory and reputational consequences. The lack of authentication or user interaction needed for exploitation means attackers can silently intercept data, increasing the risk of undetected espionage or data leakage. Organizations using affected versions of Apache NimBLE in their device fleets must consider the risk of widespread exposure, especially in environments with dense device deployments.

The primary mitigation is to upgrade all affected Apache NimBLE instances to version 1.9.0 or later, where the Pause Encryption handling flaw has been corrected. Organizations should implement a comprehensive inventory of devices using NimBLE to identify vulnerable versions. For devices that cannot be immediately upgraded, network-level controls such as restricting BLE communication range or employing physical security measures to limit attacker proximity can reduce risk. Additionally, monitoring BLE traffic for anomalies or unexpected unencrypted transmissions may help detect exploitation attempts. Device manufacturers should review their BLE security configurations and consider implementing additional encryption layers or secure pairing mechanisms. Security teams should also ensure that firmware update mechanisms are secure and capable of rapid deployment to mitigate this and future vulnerabilities. Finally, organizations should educate users and administrators about the risks of BLE vulnerabilities and enforce policies to minimize exposure.