A critical security flaw discovered in the Amp’ed RF BT-AP 111 Bluetooth-to-Ethernet bridge exposes its HTTP-based administrative interface without any form of authentication controls.
The BT-AP 111, capable of supporting up to seven simultaneous Bluetooth connections via a UART serial interface and offering Universal Plug and Play (UPnP) on its Ethernet port, provides a web-based administrative panel accessible over HTTP.
Security researchers found that this interface does not implement user credentials, token-based access, or any form of authentication. Consequently, any device on the same network segment can request the HTTP endpoint and view or modify critical settings.
By exploiting this flaw, unauthenticated attackers can alter Bluetooth pairing modes, adjust network parameters such as IP addressing and DHCP options, and manipulate security-related configurations.
If firmware management features are exposed through the interface, adversaries could also upload malicious firmware, effectively granting them complete control over the device.
Such unauthorized access undermines network segmentation and isolation strategies, as attackers can pivot from the compromised BT-AP 111 to adjacent systems or networks.
Deviation from NIST Security Guidelines
The absence of authentication on an administrative interface conflicts with established NIST guidance.
The NIST Guide to Bluetooth Security (SP 800-121 Rev. 2) specifies that Bluetooth devices operating beyond near-field communication must enforce at least Service Level 2 controls, requiring authentication before granting service-level access.
Furthermore, NIST SP 800-124 Rev. 1 mandates that all network-connected devices enforce authentication to protect configuration and administrative resources. The BT-AP 111’s omission of these baseline security controls represents a clear violation of these recommendations.
Impact and Risk Assessment
Tracked as CVE-2025-9994, this vulnerability carries a high impact rating due to its facilitation of complete administrative takeover without user interaction or existing credentials.
An attacker exploiting this issue can disrupt Bluetooth connectivity, degrade service availability, and manipulate network settings to facilitate lateral movement or intercept sensitive data.
Organizations deploying BT-AP 111 devices in mixed-use or untrusted environments are particularly vulnerable, as attackers can establish persistent footholds within corporate or operational networks.
Mitigation and Recommendations
As of now, CERT/CC has not received any remediation guidance or firmware update plans from Amp’ed RF. In the absence of an official patch, system administrators must assume that devices remain vulnerable to potential security threats.
The most effective interim mitigation is to isolate BT-AP 111 units on secure, air-gapped, or strictly controlled management networks inaccessible to general user traffic.
Implementing network segmentation through VLANs or ACLs at the switch level ensures that only authorized administrators can access the device’s HTTP port. Additionally, monitoring HTTP access logs and configuration changes can help detect exploitation attempts.
Until Amp’ed RF releases firmware updates that implement proper authentication and authorization controls, organizations should consider replacing or withdrawing BT-AP 111 devices from critical network segments failure to do so risks exposing administrative controls to any attacker with basic network access.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
