CVE-2026-2756 - Vulnerability Details

- OmniPEMF NeoRhythm BLE missing authentication

Description

A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-21

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in OmniPEMF NeoRhythm’s Bluetooth Low Energy interface allows an attacker on the same local network to manipulate an unknown function, causing authentication to be omitted. The flaw is classified as high complexity and difficult to exploit, which limits its practical threat but still permits unauthorized access to the device’s BLE interface. The CVSS score of 2.3 reflects a low severity impact, meaning the risk to confidentiality, integrity, or availability is modest when the device is isolated from broader networks.

Affected Systems

The device affected is the OmniPEMF NeoRhythm, firmware versions up to 20260308. No additional software or OS versions are mentioned. The issue is exclusive to the specific BLE component within the device rather than the broader product line.

Risk and Exploitability

Because the attack is constrained to local network traffic, the overall threat surface is narrow. The combination of a high complexity, low CVSS score, and absence from the KEV catalog indicates that widespread exploitation is unlikely. Nonetheless, an attacker who has physical proximity or network access could exploit the missing authentication to gain control over the BLE interface if the device is not patched or otherwise secured.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OmniPEMF

NeoRhythm

affected

Version	Status	Constraints
`20260308`	affected	—

No data.

Vendor Product Confidence Versions

Omnipemf

Neorhythm

100%

Version	Status	Scheme	Platform
`20260308`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Ensure the device firmware is updated to a version later than 20260308 once a vendor patch becomes available.
Restrict BLE communication to trusted devices or sub‑nets, and employ strong network segmentation to isolate the NeoRhythm from public or untrusted local networks.
Monitor local wireless traffic for anomalous BLE connections and log any unauthorized access attempts.
Consult OmniPEMF support for additional guidance or intermediate mitigations while a patch is released.

Generated by OpenCVE AI on March 21, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://ab3j.radio/NeoRhythm.pdf
https://vuldb.com/?ctiid.352383
https://vuldb.com/?id.352383
https://vuldb.com/?submit.774937

History

Mon, 23 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Omnipemf Omnipemf neorhythm
Vendors & Products		Omnipemf Omnipemf neorhythm

Sat, 21 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Title		OmniPEMF NeoRhythm BLE missing authentication
Weaknesses		CWE-287 CWE-306
References		https://ab3j.radio/NeoRhythm.pdf https://vuldb.com/?ctiid.352383 https://vuldb.com/?id.352383 https://vuldb.com/?submit.774937
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:A/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Omnipemf Neorhythm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-21T17:32:08.129Z

Updated: 2026-03-23T16:40:08.348Z

Reserved: 2026-02-19T15:01:39.688Z

Link: CVE-2026-2756

Vulnrichment

Updated: 2026-03-23T16:17:51.535Z

NVD

Status : Deferred

Published: 2026-03-21T18:16:01.340

Modified: 2026-04-24T16:31:14.807

Link: CVE-2026-2756

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:47:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object