CVE-2025-69969
Published: 04 March 2026
Summary
CVE-2025-69969 is a critical-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Pebblepower Pebble Prism Ultra Firmware. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and SC-40 (Wireless Link Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates authorization, authentication, and encryption for wireless access, directly addressing the lack of authentication and authorization in the BLE protocol allowing arbitrary command execution.
Requires security safeguards to protect wireless links, mitigating cleartext data interception and unauthorized access over BLE proximity.
Enforces confidentiality and integrity protections for transmissions, countering cleartext interception and unauthenticated firmware hijacking via OTA services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated exploitation of BLE remote service for arbitrary command execution and cleartext interception via proximity adjacency.
NVD Description
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing…
more
a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleartext data interception and unauthenticated firmware hijacking via OTA services.
Deeper analysisAI
CVE-2025-69969 is a critical vulnerability in the Bluetooth Low Energy (BLE) communication protocol of the SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 device, published on 2026-03-04. It arises from a lack of authentication and authorization mechanisms, allowing attackers to reverse engineer the protocol and execute arbitrary commands without establishing a connection. The flaw also enables cleartext data interception and unauthenticated firmware hijacking via over-the-air (OTA) services. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-311 (Missing Authentication) and CWE-319 (Cleartext Transmission of Sensitive Information).
The attack requires adjacency over BLE proximity with no physical contact needed, low attack complexity, no privileges, and no user interaction. Any attacker in range can exploit it to execute arbitrary commands on the device, intercept sensitive data transmitted in cleartext, and perform unauthenticated firmware hijacking through OTA services, potentially leading to full device compromise with high impacts on confidentiality, integrity, and availability.
Mitigation guidance and further details are provided in the associated GitHub security advisory (GHSA-cp6q-87g8-mq77) and the BLEached-Security repository at https://github.com/mukundbhuva/BLEached-Security.
Details
- CWE(s)