CVE-2025-9994 is a critical vulnerability affecting the Amped RF BT-AP 111 Bluetooth access point. The core issue is the absence of any authentication mechanism on the device's HTTP administrative interface. This means that anyone with network access to the device can connect to the admin interface without credentials and perform administrative functions. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-287 (Improper Authentication), indicating a fundamental security design flaw. The CVSS v3.1 score of 9.8 reflects the severity, with attack vector being network (AV:N), no required privileges (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). Because the HTTP admin interface controls critical device functions, unauthorized access could allow attackers to modify configurations, disrupt Bluetooth communications, or pivot into connected networks. The vulnerability affects all versions of the BT-AP 111 product line, and no patches or mitigations have been published yet. Although no exploits are currently known in the wild, the ease of exploitation and critical impact make this a significant threat, especially in environments where these devices are deployed in sensitive or enterprise networks. The lack of authentication on an administrative interface exposed over the network is a severe security oversight, enabling attackers to fully compromise the device remotely without any barriers.

For European organizations, the impact of this vulnerability can be substantial. The BT-AP 111 is used to extend Bluetooth connectivity, often in enterprise, industrial, or public environments. Unauthorized access to the admin interface could lead to disruption of Bluetooth services, potentially affecting operational technology, IoT devices, or user connectivity. Attackers could alter device configurations to intercept or manipulate Bluetooth traffic, leading to data breaches or espionage. Furthermore, compromised devices could serve as footholds for lateral movement within corporate networks, threatening broader IT infrastructure. Critical sectors such as manufacturing, healthcare, transportation, and public services that rely on Bluetooth-enabled devices are particularly at risk. The high CVSS score indicates that confidentiality, integrity, and availability of systems connected via these access points could be severely impacted. Given the device’s network exposure and lack of authentication, attackers do not require credentials or user interaction, increasing the likelihood of exploitation. This vulnerability could also undermine compliance with European data protection regulations like GDPR if personal data is intercepted or compromised.

Immediate mitigation steps include isolating the BT-AP 111 devices from untrusted networks to limit exposure. Network segmentation should be enforced to restrict access to the device’s HTTP admin interface strictly to trusted administrators. Employing firewall rules or access control lists (ACLs) to block unauthorized IP addresses from reaching the device is critical. Since no official patch is available, organizations should consider disabling the HTTP admin interface if possible or replacing the affected devices with alternatives that enforce authentication. Monitoring network traffic for unusual access patterns to the device can help detect exploitation attempts early. Additionally, deploying network intrusion detection/prevention systems (IDS/IPS) with signatures targeting unauthorized access attempts to these devices can provide proactive defense. Organizations should also engage with Amped RF for updates or firmware patches and plan for rapid deployment once available. Documenting and auditing all Bluetooth access points and their configurations will aid in identifying vulnerable devices and prioritizing remediation efforts.