Description
The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application.
Published: 2026-05-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontier X2 device exposes critical GATT characteristics through BLE without any authentication or authorization checks. An attacker who can reach the device via BLE can read or write these characteristics, allowing them to start or stop activities, trigger vibrations, or induce denial‑of‑service conditions. The companion mobile application also lacks proper device authentication, enabling an attacker to masquerade as a legitimate device and inject forged health telemetry such as breathing rate, heart rate, and strain data. This flaw represents a significant compromise of device integrity and confidentiality of patient data.

Affected Systems

The flaw impacts the Fourth Frontier Frontier X Android and iOS mobile applications as well as the Frontier X2 medical device. No specific version numbers are listed, so any current installation of these products is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local BLE connection; an attacker must be within Bluetooth range but does not need elevated privileges or remote network access. The lack of authentication makes exploitation straightforward for anyone who can transmit BLE commands to the device.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Remediation

Vendor Workaround

Fourth Frontier is aware of the vulnerability and is working on a fix. Users are encouraged to reach out to Fourth Frontier directly for assistance:  https://fourthfrontier.com/pages/contact-us Frontier X/X2 devices can connect to only one app at a time; users should first connect the Frontier X/X2 device using the Frontier X app and then start the activity.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or firmware update when it becomes available to enforce proper BLE authentication and authorization.
  • Contact Fourth Frontier through the provided support link to request a temporary fix or further mitigation guidance.
  • Until a patch is applied, restrict BLE exposure by disabling Bluetooth on the device or on other nearby devices and ensure the device is only paired with the approved Frontier X app.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Fourth Frontier
Fourth Frontier frontier X2
Fourth Frontier frontier X Android Application
Fourth Frontier frontier X Ios Application
Vendors & Products Fourth Frontier
Fourth Frontier frontier X2
Fourth Frontier frontier X Android Application
Fourth Frontier frontier X Ios Application

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application.
Title Fourth Frontier Frontier X Mobile Application, Frontier X2 Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Fourth Frontier Frontier X2 Frontier X Android Application Frontier X Ios Application
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-29T19:31:52.111Z

Reserved: 2026-04-07T20:28:13.672Z

Link: CVE-2026-5768

cve-icon Vulnrichment

Updated: 2026-05-29T19:31:47.018Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:12.997

Modified: 2026-06-16T16:03:27.593

Link: CVE-2026-5768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:21Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function