Security readout for executives and security teams
Plain-English summary
CVE-2020-10369 concerns some Cypress and Broadcom wireless combo chips that lack a January 2021 firmware update. The reported Spectra attack can infer memory contents, creating limited confidentiality, integrity, and availability risk. Public data in the bundle does not identify exact product CPEs or show known active exploitation.
Executive priority
Treat this as a moderate firmware hygiene issue. It is not documented here as actively exploited, but affected devices may leak memory-derived information when unpatched. Prioritize environments where nearby wireless access is realistic and where device firmware management is weak.
Technical view
The CVE maps to CWE-203 and has CVSS 3.1 score 5.5 with adjacent-network attack vector, low complexity, low privileges, and no user interaction. Exposure depends on vulnerable chip firmware predating the January 2021 update. The available source bundle does not provide a complete affected-product matrix.
Likely exposure
Organizations may be exposed through devices using affected Cypress or Broadcom wireless combo chips with outdated firmware. The bundle lists affected vendor and product as n/a, so exposure must be verified through hardware inventories, firmware versions, and vendor or distribution advisories.
Exploitation context
No CISA KEV listing is present, and the provided sources do not state active exploitation. The CVSS vector indicates an attacker would need adjacent access and low privileges, reducing broad internet-scale urgency but leaving risk in shared, local, or proximity-access environments.
Researcher notes
The CVE data is sparse: affected vendor/product entries are n/a and no precise CPEs are supplied. Analysis should center on firmware provenance, chip identification, and whether the January 2021 update is present. Avoid assuming every Broadcom or Cypress wireless chip is affected without vendor confirmation.
Mitigation direction
- Apply the January 2021 firmware update where applicable.
- Use vendor or distribution firmware packages for affected wireless chips.
- Review Raspberry Pi bluez-firmware updates if that package is in scope.
- Check device vendor guidance for exact affected models and firmware versions.
- Prioritize updates for shared offices, labs, and high-density wireless environments.
Validation and detection
- Inventory devices with Cypress or Broadcom wireless combo chips.
- Record wireless firmware versions and build dates.
- Confirm whether January 2021 or later firmware is installed.
- Review vendor, distribution, and Red Hat tracking for affected packages.
- Document systems where chip identity or firmware status remains unknown.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-203: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-10369 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L2.13.4Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
5.5MediumVector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source materials
- CVE List V5 sourceCVE List V5
- https://www.informatik.tu-darmstadt.de/seemoo/team_seemoo/jiska_classen/index.en.jspCVE reference
- https://github.com/RPi-Distro/bluez-firmware/commit/8445a53ce2c51a77472b908a0c8f6f8e1fa5c37aCVE reference
- https://bugzilla.redhat.com/show_bug.cgi?id=2052676CVE reference
- https://www.informatik.tu-darmstadt.de/fb20/aktuelles_fb20/fb20_neuigkeiten/neuigkeiten_fb20_details_203136.de.jspCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Observable Discrepancy
Observable Discrepancy represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
