CVE-2025-56019 identifies an insecure permission vulnerability in the Agasta Easytouch+ device, specifically version 9.3.97. The vulnerability arises from the device's Bluetooth Low Energy (BLE) interface, which allows unauthorized mobile applications to establish connections without any authentication mechanism. This lack of authentication means that any nearby attacker with a BLE-capable device can connect to the Easytouch+ without needing credentials or user approval. Once an unauthorized connection is established, the device denies legitimate applications the ability to connect, effectively causing a denial of service (DoS) condition. The attack requires physical proximity since BLE communication range is typically limited to adjacent network locations, generally within 10 meters. The vulnerability does not appear to have a publicly available patch or mitigation from the vendor at this time, and no known exploits are reported in the wild. The lack of authentication on BLE connections represents a significant security flaw because it allows attackers to disrupt normal device operation and potentially interfere with critical functions that rely on the Easytouch+ device. Although the vulnerability does not directly disclose sensitive data or allow code execution, the DoS impact can disrupt business processes or safety-critical operations depending on the device's use case. The absence of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

For European organizations, the impact of this vulnerability depends largely on the deployment context of the Agasta Easytouch+ device. If the device is used in environments where BLE connectivity is critical for operational workflows—such as manufacturing, healthcare, or facility management—the denial of service could lead to operational downtime, reduced productivity, or safety risks. The proximity requirement limits remote exploitation but does not eliminate risk in densely populated or publicly accessible facilities where attackers could gain physical closeness. Disruption of legitimate BLE connections could also affect user experience and trust in the device, potentially causing cascading effects if the device is part of a larger automated system. Additionally, organizations with strict regulatory requirements around availability and operational continuity (e.g., critical infrastructure or healthcare providers) could face compliance challenges if this vulnerability is exploited. The lack of authentication also raises concerns about potential future exploitation vectors if attackers combine this vulnerability with other weaknesses to escalate impact.

Given the absence of an official patch, European organizations should implement compensating controls to mitigate risk. First, physical security around devices should be enhanced to prevent unauthorized proximity access, including restricting access to areas where Easytouch+ devices are deployed. Network segmentation and monitoring of BLE traffic can help detect and alert on unauthorized connection attempts. Organizations should consider disabling BLE connectivity on Easytouch+ devices where it is not strictly necessary or use BLE signal jamming technologies in sensitive areas to limit unauthorized access. If possible, deploying additional authentication layers at the application level or using BLE security features such as bonding and encryption can reduce risk. Regularly auditing device firmware versions and vendor communications for patches or updates is critical. Finally, organizations should prepare incident response plans specifically addressing BLE-related disruptions to minimize operational impact if exploitation occurs.