CVE-2022-25837 in Core Specification
Summary
by MITRE • 12/12/2022
Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the other BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure Simple Pairing in Secure Connections mode using the Passkey association model with the pairing Initiator and BR/EDR Legacy PIN code pairing with the pairing Responder and brute forces the Passkey entered by the user into the Responder as a 6-digit PIN code. The MITM attacker can use the identified PIN code value as the Passkey value to complete authentication with the Initiator via Bluetooth pairing method confusion.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/18/2026
The vulnerability described in CVE-2022-25837 represents a significant security flaw in the Bluetooth Core Specification versions 1.0B through 5.3 that exploits a critical weakness in the pairing mechanism between Bluetooth devices. This vulnerability specifically targets the interaction between BR/EDR (Basic Rate/Enhanced Data Rate) Secure Connections pairing and Legacy PIN code pairing methods, creating a scenario where an unauthenticated attacker can potentially compromise the security of Bluetooth communications through adjacent access attacks. The flaw stems from the way different pairing methodologies are negotiated and handled during the Bluetooth pairing process, particularly when devices support multiple pairing modes that can be exploited through strategic attack vectors.
The technical implementation of this vulnerability occurs when an attacker positions themselves in close proximity to two Bluetooth devices attempting to pair with each other, exploiting the fact that one device supports BR/EDR Secure Simple Pairing in Secure Connections mode while the other uses Legacy PIN code pairing. The attacker can manipulate the pairing negotiation process by establishing a connection with the Initiator device using the Secure Connections mode with Passkey association, then simultaneously establishing a connection with the Responder device using Legacy PIN code pairing. This creates a scenario where the attacker can observe or capture the Passkey entered by a user on the Responder device and then brute force the 6-digit PIN code value. The vulnerability specifically leverages the confusion that arises when different pairing methods are used in sequence, allowing an attacker to effectively bypass security mechanisms that should normally prevent unauthorized access.
The operational impact of CVE-2022-25837 extends beyond simple credential theft, as it represents a sophisticated man-in-the-middle attack vector that can be executed with minimal physical proximity requirements and relatively simple tools. The vulnerability affects all Bluetooth devices that implement the affected Core Specification versions, making it particularly concerning for mobile devices, IoT devices, and any Bluetooth-enabled equipment where physical access can be gained by attackers. The attack requires the attacker to be in adjacent proximity to both devices during the pairing process, but this limitation does not prevent the attack from being highly effective in real-world scenarios where attackers can position themselves near target devices in public spaces, offices, or homes. The implications are severe because successful exploitation allows attackers to gain authenticated access to devices that would normally require proper pairing procedures to establish secure connections.
Security mitigations for this vulnerability should focus on implementing proper pairing method validation and ensuring that devices do not allow mixed pairing modes during authentication processes. Organizations should update their Bluetooth implementations to enforce consistent pairing methodologies and implement additional verification steps that prevent the type of pairing confusion that enables this attack. The vulnerability aligns with CWE-310 (Cryptographic Issues) and CWE-312 (Sensitive Data Exposure) categories, as it involves cryptographic weaknesses in the pairing process and potential exposure of authentication credentials. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1071.001 (Application Layer Protocol: Web Protocols) as it exploits the trust relationship established through Bluetooth pairing to gain unauthorized access. Device manufacturers should implement robust pairing protocol validation that prevents the negotiation of incompatible pairing methods and ensure that any authentication process requires consistent security mechanisms throughout the pairing sequence. The vulnerability also highlights the importance of proper cryptographic implementation and the need for security testing that specifically addresses mixed-mode pairing scenarios in wireless communication protocols.