CVE-2021-20107
MEDIUMSloan Optima EAF/EBF Firmware - Unauthenticated BLE Interface Access
Title source: llmDescription
There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure on the faucets. It is possible to use the Bluetooth Low Energy (BLE) connectivity to read and write to many BLE characteristics on the device. Some of these control the flow of water, the sensitivity of the sensors, and information about maintenance.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2021-26-0
Scores
CVSS v3
5.4
EPSS
0.0054
EPSS Percentile
41.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-306
Status
published
Products (50)
sloan/basys_efx-100_firmware
sloan/basys_efx-150_firmware
sloan/basys_efx-175_firmware
sloan/basys_efx-177_firmware
sloan/basys_efx-180_firmware
sloan/basys_efx-200_firmware
sloan/basys_efx-250_firmware
sloan/basys_efx-275_firmware
sloan/basys_efx-277_firmware
sloan/basys_efx-280_firmware
... and 40 more
Published
Jun 30, 2021
Tracked Since
Feb 18, 2026