Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (icscert) · only source for this CVE.
CVSS VectorVendor: icscert
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application.
AnalysisAI
Unauthenticated BLE access to the Fourth Frontier X2 wearable cardiac monitor allows attackers within radio range to read and write critical GATT characteristics without pairing, enabling control of device functions and injection of fabricated health telemetry. The companion Frontier X Android and iOS applications additionally fail to authenticate paired devices, letting an attacker impersonate a legitimate X2 and feed falsified heart rate, breathing rate, and strain data into a victim's mobile app. No public exploit identified at time of analysis, and the issue is tracked under CISA ICS-MA-26-148-01.
Technical ContextAI
The Frontier X2 is a wearable continuous ECG/cardiac monitor that pairs with Android and iOS companion apps over Bluetooth Low Energy (BLE), exposing device state and telemetry through GATT (Generic Attribute Profile) characteristics. The root cause maps to CWE-306 (Missing Authentication for a Critical Function): the device's GATT server permits read/write operations on sensitive characteristics without requiring BLE bonding, pairing, or any application-layer authentication, and the mobile app similarly trusts any peripheral that broadcasts the expected advertisement payload and GATT service UUIDs. Affected CPEs are cpe:2.3:a:fourth_frontier:frontier_x2, cpe:2.3:a:fourth_frontier:frontier_x_android_application, and cpe:2.3:a:fourth_frontier:frontier_x_ios_application, all listed without version constraints in NVD.
RemediationAI
No vendor-released patch identified at time of analysis; the only vendor channel referenced is the Fourth Frontier contact page at https://fourthfrontier.com/pages/contact-us, so users and procurement teams should contact the vendor directly to obtain firmware and app updates and monitor ICSMA-26-148-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-148-01) for fix availability. As compensating controls, operate the Frontier X2 only in environments where untrusted parties are not within BLE range (roughly 10-30 meters), power the device off when not actively in use to remove the attack surface, and treat any unexpected vibration, activity start/stop, or anomalous telemetry as a potential indicator of tampering; on the mobile side, avoid initiating connections in public or crowded areas where a rogue advertiser could be present, and cross-check critical health readings against a second trusted source before acting on them clinically. These mitigations trade off convenience and continuous monitoring for integrity assurance and do not fully resolve the missing-authentication root cause.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33368
GHSA-frhh-w545-jjh2