LiveActive security incident?Get immediate response
CVE Record

CVE-2020-10369: Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, al...

Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow inferences about memory content via a "Spectra" attack.

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2020-10369 concerns some Cypress and Broadcom wireless combo chips that lack a January 2021 firmware update. The reported Spectra attack can infer memory contents, creating limited confidentiality, integrity, and availability risk. Public data in the bundle does not identify exact product CPEs or show known active exploitation.

Executive priority

Treat this as a moderate firmware hygiene issue. It is not documented here as actively exploited, but affected devices may leak memory-derived information when unpatched. Prioritize environments where nearby wireless access is realistic and where device firmware management is weak.

Technical view

The CVE maps to CWE-203 and has CVSS 3.1 score 5.5 with adjacent-network attack vector, low complexity, low privileges, and no user interaction. Exposure depends on vulnerable chip firmware predating the January 2021 update. The available source bundle does not provide a complete affected-product matrix.

Likely exposure

Organizations may be exposed through devices using affected Cypress or Broadcom wireless combo chips with outdated firmware. The bundle lists affected vendor and product as n/a, so exposure must be verified through hardware inventories, firmware versions, and vendor or distribution advisories.

Exploitation context

No CISA KEV listing is present, and the provided sources do not state active exploitation. The CVSS vector indicates an attacker would need adjacent access and low privileges, reducing broad internet-scale urgency but leaving risk in shared, local, or proximity-access environments.

Researcher notes

The CVE data is sparse: affected vendor/product entries are n/a and no precise CPEs are supplied. Analysis should center on firmware provenance, chip identification, and whether the January 2021 update is present. Avoid assuming every Broadcom or Cypress wireless chip is affected without vendor confirmation.

Mitigation direction

  • Apply the January 2021 firmware update where applicable.
  • Use vendor or distribution firmware packages for affected wireless chips.
  • Review Raspberry Pi bluez-firmware updates if that package is in scope.
  • Check device vendor guidance for exact affected models and firmware versions.
  • Prioritize updates for shared offices, labs, and high-density wireless environments.

Validation and detection

  • Inventory devices with Cypress or Broadcom wireless combo chips.
  • Record wireless firmware versions and build dates.
  • Confirm whether January 2021 or later firmware is installed.
  • Review vendor, distribution, and Red Hat tracking for affected packages.
  • Document systems where chip identity or firmware status remains unknown.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-203: Information exposure and cloud metadata lookup

Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-10369 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L2.13.4Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2020-10369Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-203 · source CWE mapping

Observable Discrepancy

Observable Discrepancy represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.