CVE-2025-52435
Published: 10 January 2026
Summary
CVE-2025-52435 is a high-severity J2EE Misconfiguration: Data Transmission Without Encryption (CWE-5) vulnerability in Apache Nimble. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-40 (Wireless Link Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-52435 is a J2EE Misconfiguration vulnerability classified as Data Transmission Without Encryption in Apache NimBLE. The root cause is improper handling of the Pause Encryption procedure on the Link Layer, which leaves a previously encrypted Bluetooth Low Energy connection in an unencrypted state. This issue affects Apache NimBLE versions through 1.8.0 and was published on 2026-01-10.
An eavesdropper with network access can exploit this vulnerability by observing the remainder of the data exchange after the encryption pause is mishandled. The attack requires low complexity, no privileges, no user interaction, and no special scopes, resulting in high confidentiality impact with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-5.
Advisories recommend upgrading to Apache NimBLE version 1.9.0, which addresses the issue. Fixing commits include 164f1c23c18a290908df76ed83fe848bfe4a4903 and ec3d75e909fa6dcadf1836fefc4432794a673d18 on the apache/mynewt-nimble GitHub repository, with details shared on Apache mailing lists and oss-security.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1854
Vulnerability details
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.…
more
This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables passive network eavesdropping on BLE traffic by disabling encryption, mapping to Network Sniffing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection of wireless link communications from eavesdropping, mitigating the unencrypted Bluetooth Low Energy connection caused by improper Pause Encryption handling.
Mandates confidentiality protection for transmitted information, preventing eavesdroppers from observing data exchanges left unencrypted due to the NimBLE flaw.
Ensures timely identification, reporting, and remediation of system flaws like the Apache NimBLE encryption pause mishandling by upgrading to version 1.9.0.