{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/763183#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device.\r\n\r\n### Description\r\nThe Amp’ed RF BT-AP 111 is a Bluetooth-to-Ethernet bridge that can function as an access point or a Bluetooth gateway. According to the [vendor’s website](https://www.ampedrftech.com/accessdevices.htm), the device supports Universal Plug and Play (UPnP) on the Ethernet side and acts as a UART Serial device to support up to seven simultaneous Bluetooth connections.\r\n\r\nThe BT-AP 111 provides a web-based administrative interface over HTTP. However, this interface does not implement any authentication mechanism. As a result, any user with network access to the device’s HTTP port can view and modify the administrative interface. An attacker with such access can alter Bluetooth configurations, network parameters, and other security-related settings.\r\n\r\nAccording to NIST guidance, authentication is an expected baseline security control even for near-field or Bluetooth devices. The [NIST Guide to Bluetooth Security (SP 800-121 Rev. 2)](https://www.researchgate.net/publication/329973302_NIST_Special_Publication_800-121_Guide_to_Bluetooth_Security), defines security levels that require at least authentication (Service Level 2) and preferably authentication and authorization (Service Level 1). More broadly, [NIST SP 800-124 Rev. 1](https://csrc.nist.rip/publications/nistpubs/800-124-rev1/sp800_124_r1.epub) emphasizes that devices should enforce authentication before granting access to configuration or administrative resources. The absence of authentication on the BT-AP 111 administrative web interface is therefore inconsistent with established best practices.\r\n\r\n### Impact\r\nAn attacker with network access (local or remote) to the web interface can gain full administrative control of the device and modify any settings exposed through the interface.\r\n\r\n### Solution\r\nAt this time, CERT/CC has not received a response from the vendor regarding this vulnerability. Since the device cannot be secured with authentication or any access controls, it is recommended that any deployments be restricted to isolated networks that are inaccessible to untrusted users.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Souvik Kandar. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/763183"},{"url":"https://www.ampedrftech.com/accessdevices.htm","summary":"https://www.ampedrftech.com/accessdevices.htm"},{"url":"https://www.researchgate.net/publication/329973302_NIST_Special_Publication_800-121_Guide_to_Bluetooth_Security","summary":"https://www.researchgate.net/publication/329973302_NIST_Special_Publication_800-121_Guide_to_Bluetooth_Security"},{"url":"https://csrc.nist.rip/publications/nistpubs/800-124-rev1/sp800_124_r1.epub","summary":"https://csrc.nist.rip/publications/nistpubs/800-124-rev1/sp800_124_r1.epub"}],"title":"Amp'ed RF BT-AP 111 Bluetooth access point lacks an authentication mechanism","tracking":{"current_release_date":"2025-09-09T12:59:42+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#763183","initial_release_date":"2025-09-09 12:59:42.649587+00:00","revision_history":[{"date":"2025-09-09T12:59:42+00:00","number":"1.20250909125942.1","summary":"Released on 2025-09-09T12:59:42+00:00"}],"status":"final","version":"1.20250909125942.1"}},"vulnerabilities":[{"title":"The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access.","notes":[{"category":"summary","text":"The Amp’ed RF BT-AP 111 Bluetooth access point's HTTP admin interface does not have an authentication feature, allowing unauthorized access to anyone with network access."}],"cve":"CVE-2025-9994","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#763183"}]}],"product_tree":{"branches":[]}}