CVE-2019-19194

HIGH

Telink Semiconductor BLE SDK <November 2019 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19194. PoCs published by louisabricot.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2019-19194, a vulnerability in Telink SMP implementations that allows bypassing the Secure Connections pairing procedure in Bluetooth Low Energy (BLE). The writeup includes an overview of BLE protocol stack, pairing procedures, and a theoretical Proof-of-Concept (PoC) script that demonstrates the exploit conceptually.

Description

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing. An attacker in radio range can have arbitrary read/write access to protected GATT service data, cause a device crash, or possibly control a device's function by establishing an encrypted session with the zero LTK.

Exploits (1)

nomisec WRITEUP
by louisabricot · poc
https://github.com/louisabricot/writeup-cve-2019-19194

This repository provides a detailed technical analysis of CVE-2019-19194, a vulnerability in Telink SMP implementations that allows bypassing the Secure Connections pairing procedure in Bluetooth Low Energy (BLE). The writeup includes an overview of BLE protocol stack, pairing procedures, and a theoretical Proof-of-Concept (PoC) script that demonstrates the exploit conceptually.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Telink SMP implementations supporting Secure Connections pairing
No auth needed
Prerequisites: BLE device with Telink SMP implementation · Proximity to target device for BLE communication
MITRE ATT&CK
mistral-large-3 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
http://www.telink-semi.com/ble
Exploit, Third Party Advisory x_refsource_misc
https://asset-group.github.io/disclosures/sweyntooth/

Scores

CVSS v3 8.8
EPSS 0.0100
EPSS Percentile 58.6%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (5)
telink-semi/tlsr8232_ble_sdk < 1.3.0
telink-semi/tlsr8251_ble_sdk < 3.4.0
telink-semi/tlsr8253_ble_sdk < 3.4.0
telink-semi/tlsr8258_ble_sdk < 3.4.0
telink-semi/tlsr8269_ble_sdk < 3.3
Published Feb 12, 2020
Tracked Since Feb 18, 2026