Security readout for executives and security teams
Plain-English summary
Some Cypress and Broadcom wireless combo chips can be disrupted over nearby Bluetooth if they lack a Bluetooth firmware update dated 2021-01-26. The supplied sources name CYW43455 as an example but do not provide a complete affected-product list. Treat this as a hardware/firmware exposure requiring inventory, not a generic software bug.
Executive priority
Prioritize inventory and firmware validation for Bluetooth-enabled devices in sensitive or operational environments. Business urgency is high where nearby disruption of Bluetooth could affect safety, availability, or trusted peripherals, but evidence for broad active exploitation is not provided.
Technical view
CVE-2020-10370 covers certain Cypress/Broadcom wireless combo chips missing a 2021-01-26 Bluetooth firmware update. The CVE describes a Bluetooth outage via a Spectra attack. The CVSS 3.1 score is 8.8 with adjacent attack vector, low complexity, no privileges, and no user interaction. Exact affected versions are not enumerated in the bundle.
Likely exposure
Exposure is most likely in devices using affected Cypress or Broadcom combo chips, especially CYW43455, with outdated Bluetooth firmware. The bundle does not identify full product lines, operating systems, or firmware package versions.
Exploitation context
The CVSS vector indicates adjacent-range access, no privileges, and no user interaction. The sources do not show CISA KEV listing or active exploitation. Public references indicate research context around Spectra, but the bundle only supports describing an outage risk.
Researcher notes
The main evidence gap is affected scope: the CVE bundle lists vendor and product as n/a while the description names only examples. Avoid overgeneralizing to all Broadcom or Cypress chips. Validate firmware lineage against vendor or distribution sources before declaring remediation complete.
Mitigation direction
- Identify assets using Cypress or Broadcom wireless combo chips, especially CYW43455.
- Apply vendor or distribution firmware containing the 2021-01-26 Bluetooth firmware update.
- Check Debian, Red Hat, and device vendor guidance for package-specific status.
- Prioritize high-value systems where Bluetooth availability affects operations.
- Disable Bluetooth where it is unnecessary and vendor firmware status is unknown.
Validation and detection
- Confirm whether managed devices contain affected Cypress or Broadcom combo chips.
- Verify installed Bluetooth firmware includes the 2021-01-26 update or vendor equivalent.
- Review distribution trackers for system-specific package status and remediation notes.
- Record systems where chip model or firmware date cannot be confirmed.
- Reassess exposure after firmware updates through normal asset management evidence.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2020-10370 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 8.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H2.85.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
8.8HighVector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://www.informatik.tu-darmstadt.de/seemoo/team_seemoo/jiska_classen/index.en.jspCVE reference
- https://github.com/RPi-Distro/bluez-firmware/commit/8445a53ce2c51a77472b908a0c8f6f8e1fa5c37aCVE reference
- https://security-tracker.debian.org/tracker/CVE-2020-10370CVE reference
- https://bugzilla.redhat.com/show_bug.cgi?id=2052676CVE reference
- https://www.informatik.tu-darmstadt.de/fb20/aktuelles_fb20/fb20_neuigkeiten/neuigkeiten_fb20_details_203136.de.jspCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
