What is the Amp'ed RF BT-AP 111 CVE-2025-9994 vulnerability?

CVE-2025-9994 is a critical vulnerability with a CVSS score of 9.8 affecting the Amp'ed RF BT-AP 111 Bluetooth Access Point. The vulnerability is a complete absence of authentication mechanisms, allowing any user who can reach the device's HTTP port to immediately view and modify all administrative settings without any form of identity verification.

What is the Amp'ed RF BT-AP 111 device?

The Amp'ed RF BT-AP 111 is a Bluetooth-to-Ethernet bridge device designed to function as either an access point or Bluetooth gateway in enterprise environments. The device supports Universal Plug and Play (UPnP) functionality on the Ethernet side while simultaneously acting as a UART Serial device capable of handling up to seven concurrent Bluetooth connections.

How severe is the CVE-2025-9994 vulnerability?

CVE-2025-9994 is rated as critical with a CVSS score of 9.8, representing maximum severity. The vulnerability allows complete unauthorized access to administrative functions without any authentication requirements.

What can attackers do by exploiting CVE-2025-9994?

Any user who can reach the device's HTTP port through network access can immediately view and modify all administrative settings without providing any form of identity verification. This includes changing device configurations, monitoring Bluetooth connections, and potentially gaining access to connected devices.

Has Amp'ed RF responded to the CVE-2025-9994 vulnerability?

CERT/CC researchers have attempted to contact Amp'ed RF regarding this vulnerability but have not received any response from the vendor, indicating no official acknowledgment or patch timeline has been provided.

Is there a firmware update available to fix CVE-2025-9994?

No, there are currently no vendor-provided security updates available. Given the absence of vendor response and no possibility of implementing authentication controls through configuration, no patch is currently available.

How can organizations protect BT-AP 111 devices from CVE-2025-9994?

Organizations must rely on network-level security isolation to protect deployed BT-AP 111 devices. Network administrators should implement VLAN segmentation to create isolated network segments specifically for BT-AP 111 devices and restrict HTTP port access to authorized personnel only.

What network security measures should be implemented for BT-AP 111 devices?

Network administrators should implement VLAN segmentation to create isolated network segments specifically for BT-AP 111 devices, restrict access to the device's HTTP administrative interface through firewall rules, and monitor network traffic to and from these devices for unauthorized access attempts.

Should organizations replace their BT-AP 111 devices?

Yes, until Amp'ed RF releases firmware updates that implement proper authentication and authorization controls, organizations operating in security-sensitive environments should strongly consider replacing BT-AP 111 devices with alternative Bluetooth access point solutions that provide adequate security controls.

What makes CVE-2025-9994 particularly dangerous?

The vulnerability is particularly dangerous because it represents a complete absence of authentication mechanisms rather than a bypassable security control. There is no way to configure authentication on the device, making it inherently insecure when accessible via network connections.

Can the BT-AP 111 authentication issue be fixed through configuration?

No, there is no possibility of implementing authentication controls through device configuration. The complete absence of authentication mechanisms means the vulnerability cannot be mitigated at the device level and requires network-level protections.

What enterprise environments typically use BT-AP 111 devices?

The BT-AP 111 is designed for enterprise environments where Bluetooth-to-Ethernet bridging is required, serving as either an access point or Bluetooth gateway. It's commonly used in industrial settings, IoT deployments, and enterprise networks requiring Bluetooth connectivity integration.

Who discovered the CVE-2025-9994 vulnerability?

The vulnerability was identified by security researchers and reported through CERT/CC (Computer Emergency Response Team Coordination Center), who have attempted to contact the vendor but received no response.

What immediate actions should BT-AP 111 users take?

Users should immediately implement network isolation for BT-AP 111 devices through VLAN segmentation, restrict HTTP port access through firewall rules, monitor for unauthorized access attempts, and evaluate replacing the devices with more secure alternatives if operating in security-sensitive environments.

Are there any workarounds for the BT-AP 111 authentication vulnerability?

The only effective workarounds are network-level security controls including VLAN isolation, firewall restrictions on HTTP port access, and physical security measures to prevent unauthorized network access to the devices. Device-level security cannot be implemented due to the complete absence of authentication mechanisms.

Advisory

Critical vulnerabilities reported in ABB Cylon Aspect building management systems

published: Sept. 11, 2025

Take action: If you have ABB Cylon Aspect Building Management Systems make sure the systems are isolated from the internet. Then immediately update firmware to version 3.08.04-s01 to fix critical authentication bypass vulnerabilities that could give attackers complete control of your building systems.

Learn More

ABB has patched multiple security vulnerabilities affecting its Cylon Aspect Building Management System (BMS) and Building Automation System (BAS) product lines.

Vulnerability summary

CVE-2025-53187 (CVSS score 9.8) - Authentication Bypass Using an Alternate Path or Channel, tracked as CVE-2025-53187 (CVSS score 9.8), represents the most critical vulnerability affecting all ASPECT firmware versions prior to 3.08.04-s01. This flaw originated from debugging code that was mistakenly included in production firmware releases, creating an unintended authentication bypass mechanism that allows attackers to circumvent normal security controls.
CVE-2025-7679 (CVSS score 8.1) - Missing Authentication for Critical Function, tracked as CVE-2025-7679 (CVSS score 8.1), allows users to bypass authentication mechanisms entirely and affects all versions of ASPECT firmware. This vulnerability enables unauthorized access to critical system functions without requiring valid credentials.
CVE-2025-7677 (CVSS score 5.9) - Classic Buffer Overflow vulnerability, tracked as CVE-2025-7677 (CVSS score 5.9), affects all versions of ASPECT firmware and enables denial-of-service attacks when unauthorized users gain access to the local network. This vulnerability results from improper input validation that fails to check buffer size limits during data copying operations.

Affected versions include:

ABB ASPECT-Enterprise ASP-ENT-x systems running firmware versions prior to 3.08.04-s01,
ABB NEXUS Series NEX-2x devices with firmware versions prior to 3.08.04-s01,
ABB NEXUS Series NEXUS-3-x systems running firmware versions prior to 3.08.04-s01,
ABB MATRIX Series MAT-x devices with firmware versions prior to 3.08.04-s01.

Successful exploitation could enable attackers to assume complete control of building management systems, potentially disrupting critical building operations including HVAC controls, lighting systems, security mechanisms, and fire safety systems.

ABB has released firmware version 3.08.04-s01 to patch the critical authentication bypass vulnerability (CVE-2025-53187), and organizations should prioritize immediate deployment of this update. The buffer overflow and missing authentication vulnerabilities continue to affect all ASPECT firmware versions.

ABB strongly recommends that ASPECT devices should never be exposed directly to the Internet. Organizations requiring remote access to ASPECT systems should implement these connections exclusively through VPN gateways.

Critical vulnerabilities reported in ABB Cylon Aspect building management systems

Read More
Johnson Controls Patches Critical SQL Injection Flaw in …
CISA warns of critical authentication bypass flaw in …
Siemens reports multiple critical vulnerabilities in SENTRON 7KT …
Hackers attempt to exploit zero-day flaws in PTZOptics …
Authentication bypass vulnerability reported in Network Thermostat Smart …