CVE-2025-36755 LOW

CVE-2025-36755: CleverDisplay BlueOne unauthorized BIOS access through physical USB keyboard

Vendor Cleverdisplay B.v.
Product BlueOne (CleverDisplay Hardware Player)
Weakness CWE-1244
Published December 12, 2025
Last update December 13, 2025

CVSS base score

2.4/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/V:D/RE:L/U:Green

What the vulnerability does

01Description

The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device’s protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
December 13, 2025 Record updated