CVE-2025-62235 is an authentication bypass vulnerability classified under CWE-290 affecting Apache Mynewt NimBLE, a Bluetooth Low Energy (BLE) stack used in embedded and IoT devices. The vulnerability arises when the NimBLE stack processes a specially crafted Security Request packet. This packet can trick the system into removing the original bond between two BLE devices and establishing a new bond with an attacker-controlled device. This spoofing attack effectively allows the attacker to impersonate a trusted device, bypassing authentication mechanisms. The flaw affects all versions up to 1.8.0 and was addressed in version 1.9.0. The CVSS v3.1 score is 8.1 (high), reflecting that the attack vector is adjacent network (Bluetooth), requires no privileges or user interaction, and impacts confidentiality and integrity severely, though availability remains unaffected. The vulnerability can be exploited remotely over BLE without authentication, making it a significant risk for devices relying on secure BLE communications for sensitive data or control commands. No known exploits are reported in the wild yet, but the potential for misuse in IoT environments is considerable due to the widespread use of NimBLE in embedded systems.

For European organizations, this vulnerability poses a serious risk to the confidentiality and integrity of data transmitted over BLE connections, particularly in sectors such as manufacturing, healthcare, smart buildings, and automotive where BLE-enabled IoT devices are prevalent. An attacker exploiting this flaw could impersonate legitimate devices, gaining unauthorized access to sensitive information or control over critical systems. This could lead to data breaches, unauthorized command execution, or manipulation of device behavior. The lack of impact on availability reduces the risk of denial-of-service, but the stealthy nature of the attack increases the difficulty of detection. Organizations relying on BLE for secure communications must consider the risk of espionage, sabotage, or data theft. The vulnerability also undermines trust in BLE device ecosystems, potentially affecting supply chains and operational continuity.

The primary mitigation is to upgrade all affected Apache Mynewt NimBLE instances to version 1.9.0 or later, which contains the fix for this vulnerability. Organizations should conduct an inventory of all BLE-enabled devices using NimBLE to identify vulnerable systems. For devices where upgrading NimBLE is not immediately possible, network-level controls such as restricting BLE communication range or implementing BLE device whitelisting can reduce exposure. Monitoring BLE traffic for unusual bonding requests or repeated Security Requests may help detect exploitation attempts. Additionally, organizations should review and strengthen BLE security policies, including enforcing strong pairing methods and regularly auditing device bonds. Collaboration with device manufacturers to ensure timely firmware updates is critical. Finally, integrating BLE security events into centralized logging and SIEM systems can improve incident response capabilities.