CVE-2025-15474

MEDIUM

AuntyFey Smart Combination Lock - DoS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-15474. PoCs published by NSM-Barii.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2025-15474, a BLE-based DoS vulnerability affecting a commercial smart padlock. The exploit repeatedly initiates unauthenticated BLE connections to disrupt keypad input and force lockout states.

Description

AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device.

Exploits (1)

nomisec WORKING POC 3 stars

by NSM-Barii · poc

https://github.com/NSM-Barii/CVE-2025-15474

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-15474, a BLE-based DoS vulnerability affecting a commercial smart padlock. The exploit repeatedly initiates unauthenticated BLE connections to disrupt keypad input and force lockout states.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Commercial BLE smart padlock (Amazon Product B0F9L1M4XG)

No auth needed

Prerequisites: BLE-capable Linux · Python 3.x · bleak library · target MAC address

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Apr 24, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources technical-description exploit

https://github.com/nsm-barii/ble-smartlock-dos

Various Sources product

https://www.amazon.com/dp/B0F9L1M4XG

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/auntyfey-smart-combination-lock-ble-connection-flood-dos

Scores

CVSS v4 5.3

EPSS 0.0026

EPSS Percentile 16.9%

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

AuntyFey/AuntyFey Smart Combination Lock < 2025-12-24

Published Jan 07, 2026

Tracked Since Feb 18, 2026