External risk intelligence

Fire-Boltt Smartwatch Improper Authentication via BLE Packet Replay

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-37271

The vulnerability affects Bluetooth Low Energy (BLE) communication on a smartwatch. Exploitation requires the attacker to be in close physical proximity to the device to send or capture BLE packets, meaning it is not reachable via the public internet.

Authentication Bypass

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Fire-Boltt Smartwatch firmware that allows unauthorized commands to be replayed, potentially enabling malicious actions on the device. This issue stems from insufficient authentication for certain device communications.

  • Smartwatches can be controlled remotely without proper checks.
  • Confirms security for connected devices needs ongoing review.
  • Ensure critical device security by validating all access.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by replaying previously captured Bluetooth Low Energy (BLE) packets to interact with a smartwatch. This attack leverages the device's insufficient authentication for GATT Write Request commands, allowing unauthorized access and control.

  • Requires nearby device access.
  • Replays BLE packets to trigger features.
  • Leads to unauthorized device control.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, functionality on the smartwatch could be triggered by replaying previously captured Bluetooth Low Energy (BLE) packets from a nearby device, due to insufficient authentication and session validation for GATT Write Request commands.

  • Smartwatch functionality and data.
  • Replaying captured BLE packets.
  • Unauthorized actions could occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Fire-Boltt Smartwatch firmware is vulnerable to improper authentication, allowing previously captured Bluetooth Low Energy (BLE) packets to be replayed for unauthorized device control. Ownership likely falls to the product owner or firmware development team, with initial triage involving identifying affected devices, assessing business criticality, and confirming reachability.

  • Product owners and firmware teams.
  • Confirm device reachability and business criticality.
  • Plan coordinated remediation and vendor engagement.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Fire-Boltt Smartwatch FB BGS001?

It is a wearable device that tracks personal health and activity data. The FB BGS001 uses Bluetooth Low Energy (BLE) to communicate wirelessly with other devices, such as a user's smartphone, to sync information and manage settings. This firmware version, MOY-JS14-2.0.4, acts as the internal operating software managing these wireless connections.

What does Improper Authentication mean for CVE-2026-37271?

This vulnerability is classified as Improper Authentication (CWE-287). It means the smartwatch does not properly verify that a command coming over its Bluetooth connection is legitimate. Because the device accepts GATT Write Request commands without checking if the sender is authorized or if the session is valid, it blindly trusts instructions sent from other nearby Bluetooth devices.

How can an attacker trigger this smartwatch vulnerability?

An attacker must be in close physical proximity to the device to capture or send Bluetooth Low Energy (BLE) packets. The trigger involves replaying previously recorded communication data to the watch. Simply being on the same local network or connected to the internet does not trigger this bug, as it is limited to the short-range, direct wireless interface of the smartwatch.

Do I need to worry about this if my watch is not connected to the internet?

Yes, but the risk profile is specific. According to Halo Surface Signal, this vulnerability is very unlikely to be exploited remotely because it relies on BLE communication rather than public internet access. An attacker must be physically near you to interact with the device. It is a local-range concern rather than a remote-access threat.

When should I address the CVE-2026-37271 firmware issue?

You should begin by confirming if you are running firmware version MOY-JS14-2.0.4 on your FB BGS001 device. Because this is a firmware-level flaw, the primary step is to check for official updates from the manufacturer. Until a patch is available, be mindful of pairing your device in public, high-traffic environments where someone could potentially capture or inject Bluetooth traffic.

References