Back to overview

Pepperl+Fuchs: ecom Mobile Devices prone to BlueBorne Attack

VDE-2019-004
Last update
03/14/2019 08:52
Published at
03/14/2019 08:52
Vendor(s)
Pepperl+Fuchs SE
External ID
VDE-2019-004
CSAF Document
Download

Summary

A collection of Bluetooth attack vectors were discovered and related vulnerabilities known as "BlueBorne" were disclosed. These vulnerabilities collectively endanger amongst others Windows, Linux and mobile operating systems like Android or IOS. An unauthenticated attacker may take control of devices and perform commands or access sensitive data.

Impact

An unauthenticated, remote attacker may be able to obtain private information about the device or user, execute arbitrary code on the device or perform a virtually invisible Man-in-the-middle (MitM) attack.

Affected Product(s)

Model no. Product name Affected versions
CT50-Ex vers:all/* CT50-Ex vers:all/*
Cx70-Ex vers:all/* Cx70-Ex vers:all/*
Ex-Handy 09 vers:all/* Ex-Handy 09 vers:all/*
Ex-Handy 209 vers:all/* Ex-Handy 209 vers:all/*
Pad-Ex 01 vers:all/* Pad-Ex 01 vers:all/*
Smart-Ex 01 vers:all/* Smart-Ex 01 vers:all/*
Smart-Ex 201 vers:all/* Smart-Ex 201 vers:all/*
Tab-Ex 01 vers:all/* Tab-Ex 01 vers:all/*
i.roc Ci70-Ex vers:all/* i.roc Ci70-Ex vers:all/*

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146237.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
Summary

A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146105.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
6.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness
()
Summary

Microsoft Bluetooth Driver in Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703 allows a spoofing vulnerability due to Microsoft's implementation of the Bluetooth stack, aka "Microsoft Bluetooth Driver Spoofing Vulnerability".

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63145701.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.

References
cve.org | nvd.nist.gov

Remediation

Customers using affected Pepperl+Fuchs / ecom instruments products are recommended to update the device.

For released firmware updates see table below.

Product Date Update Source
CT50-Ex Android 09/2017 FOTA-Update
CT50-Ex Windows 10/2017 Microsoft Update
Pad-Ex 01 09/2017 Microsoft Update
Smart-Ex 01 09/2018 FOTA-Update
Smart-Ex 201 10/2018 FOTA-Update

In case there is no update available, users should consider the following workaround:

Deactivation of Bluetooth on the device Unused or not needed Bluetooth should be switched off / disabled on affected devices.

Revision History

Version Date Summary
1 03/14/2019 08:52 Initial revision.