CVE-2025-36755
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/V:D/RE:L/U:Green
Summary
The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device’s protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| CleverDisplay B.V. | BlueOne (CleverDisplay Hardware Player) | 12.11.1 | affected |
| CleverDisplay B.V. | BlueOne (CleverDisplay Hardware Player) | 12.12.1 <= * | unaffected |
Weaknesses
- CWE-1244: CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
- CWE-1191: CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.