CVE-2025-36755
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Dutch Institute for Vulnerability Disclosure
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1244 | The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents. |
| CWE-1191 | The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability involves the CleverDisplay BlueOne hardware player, which has USB interfaces physically enclosed and normally inaccessible. Researchers showed that by bypassing the device's protective enclosure, an attacker can connect a USB keyboard and press ESC during boot to access the BIOS setup interface. While BIOS settings can be viewed, they cannot be modified. This exposure slightly increases the attack surface by revealing internal system information once the enclosure is removed.
How can this vulnerability impact me? :
This vulnerability allows an attacker who physically removes the device's enclosure to view BIOS settings by accessing the BIOS setup interface via a connected USB keyboard. Although the attacker cannot modify BIOS settings or compromise system integrity or availability under tested configurations, the exposure of internal system information increases the attack surface slightly.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves physical access to the device's USB interface after removing its protective enclosure, allowing a USB keyboard to be connected and ESC pressed during boot to access BIOS information. Detection requires physical inspection to verify if the enclosure is intact. There are no network or system commands to detect this vulnerability remotely or via software.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure the physical enclosure of the CleverDisplay BlueOne hardware player remains intact and inaccessible to prevent unauthorized physical access. Restrict physical access to the device to trusted personnel only. Since BIOS settings cannot be modified, the risk is limited to information exposure if the enclosure is removed.