Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OmniPEMF NeoRhythm contains a missing authentication vulnerability in its Bluetooth Low Energy (BLE) interface that allows unauthenticated local network attackers to achieve limited unauthorized access. The vulnerability affects all versions up to and including 20260308 and requires high attack complexity but results in confidentiality, integrity, and availability impacts. While the CVSS score is moderate at 5.0, the vendor has failed to respond to early disclosure notifications, leaving affected users without official patches or timeline guidance.
Technical ContextAI
The vulnerability exists in the BLE Interface component of OmniPEMF NeoRhythm, a Bluetooth-enabled medical device or wellness application. The root cause is classified under CWE-306 (Missing Authentication for Critical Function), indicating that the BLE interface fails to properly authenticate incoming commands or connections before processing sensitive operations. BLE operates on a short-range wireless protocol commonly used in wearables, medical devices, and personal health equipment. The affected product CPE (cpe:2.3:a:omnipemf:neorhythm:*:*:*:*:*:*:*:*) indicates all versions of the OmniPEMF NeoRhythm application are potentially vulnerable up to build date 20260308. The authentication bypass likely permits an attacker in radio proximity to interact with the device or its connected systems without proper credential validation.
RemediationAI
Users of OmniPEMF NeoRhythm should immediately check the vendor's website (omnipemf.com or equivalent) for patched versions beyond build 20260308, though the vendor's unresponsiveness suggests patches may not be available. If a patched version is released, upgrade to it without delay. Until vendor patches become available, mitigate risk by restricting BLE connectivity to trusted devices only, disabling BLE functionality when not in active use, keeping the NeoRhythm device and any connected applications updated to the latest available version, and isolating the device on a segmented network with minimal access to critical systems. Consider contacting OmniPEMF directly via alternative channels to escalate the vendor response issue. For organizations using NeoRhythm in medical or sensitive contexts, document this vulnerability in your risk register and evaluate whether alternative products with active vendor support should be considered.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14254
GHSA-jj82-76v6-933r