CVE-2025-36755
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Dutch Institute for Vulnerability Disclosure

Description
The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device’s protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36755
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1191 The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
CWE-1244 The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability involves the CleverDisplay BlueOne hardware player, which has USB interfaces physically enclosed and normally inaccessible. Researchers showed that by bypassing the device's protective enclosure, an attacker can connect a USB keyboard and press ESC during boot to access the BIOS setup interface. While BIOS settings can be viewed, they cannot be modified. This exposure slightly increases the attack surface by revealing internal system information once the enclosure is removed.

Impact Analysis

This vulnerability allows an attacker who physically removes the device's enclosure to view BIOS settings by accessing the BIOS setup interface via a connected USB keyboard. Although the attacker cannot modify BIOS settings or compromise system integrity or availability under tested configurations, the exposure of internal system information increases the attack surface slightly.

Detection Guidance

This vulnerability involves physical access to the device's USB interface after removing its protective enclosure, allowing a USB keyboard to be connected and ESC pressed during boot to access BIOS information. Detection requires physical inspection to verify if the enclosure is intact. There are no network or system commands to detect this vulnerability remotely or via software.

Mitigation Strategies

To mitigate this vulnerability, ensure the physical enclosure of the CleverDisplay BlueOne hardware player remains intact and inaccessible to prevent unauthorized physical access. Restrict physical access to the device to trusted personnel only. Since BIOS settings cannot be modified, the risk is limited to information exposure if the enclosure is removed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart