Cyber Resilience

CVE-2024-45434

CriticalPublic PoC

Published: 12 September 2025

Published
12 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0249 85.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45434 is a critical-severity Use After Free (CWE-416) vulnerability in Opensynergy Blue Sdk. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45434 is a Use-After-Free vulnerability (CWE-416) affecting OpenSynergy BlueSDK, also known as Blue SDK, through version 6.x. The flaw resides in the BlueSDK Bluetooth stack, where the software fails to validate the existence of an object prior to performing operations on it, leading to use-after-free conditions. This issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with network access to the target Bluetooth stack, requiring low complexity and no user interaction. Successful exploitation allows the attacker to achieve remote code execution in the context of the user account under which the Bluetooth process runs, potentially leading to full compromise of the affected system.

For mitigation details, refer to advisories such as the one published by PCA Cybersecurity at https://pcacybersecurity.com/resources/advisory/perfekt-blue and the vendor site at https://www.opensynergy.com/. The vulnerability was published on 2025-09-12.

EU & UK References

Vulnerability details

OpenSynergy BlueSDK (aka Blue SDK) through 6.x has a Use-After-Free. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the lack of validating the existence of an object before performing operations on the object (aka use…

more

after free). An attacker can leverage this to achieve remote code execution in the context of a user account under which the Bluetooth process runs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network RCE via Bluetooth stack memory corruption directly matches exploitation of exposed network-accessible services/applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63651Shared CWE-416
CVE-2026-31972Shared CWE-416
CVE-2025-70968Shared CWE-416
CVE-2026-0794Shared CWE-416
CVE-2026-32942Shared CWE-416
CVE-2026-45185Shared CWE-416
CVE-2025-47917Shared CWE-416
CVE-2025-24064Shared CWE-416
CVE-2026-31718Shared CWE-416
CVE-2026-41401Shared CWE-416

Affected Assets

opensynergy
blue sdk
≤ 6.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the use-after-free flaw in the BlueSDK Bluetooth stack to prevent remote code execution.

prevent

Implements memory protection mechanisms such as ASLR and non-executable memory that directly mitigate exploitation of the use-after-free vulnerability.

prevent

Establishes usage restrictions and authorizations for wireless access, limiting remote network-based exploitation of the Bluetooth stack vulnerability.

References