PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37271 Fire‑Boltt CVE debrief

The CVE record for CVE-2026-37271 was published on 2026-07-07T23:16:54.773Z and has not been modified since then. The NVD entry is currently Received. The Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, which could allow previously captured BLE packets to be replayed from a nearby device to trigger functionality on the smartwatch. Users of affected smartwatches should review and update their devices as necessary.

Vendor
Fire‑Boltt
Product
Smartwatch FB BGS001 Firmware MOY-JS14-2.0.4
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 should be aware of the Improper Authentication vulnerability. Affected smartwatch operators and security teams should review device configurations, implement additional authentication mechanisms for GATT Write Request commands, and monitor device activity for suspicious behavior.

Technical summary

The Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication. The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch. This vulnerability could potentially allow unauthorized access to smartwatch functionality.

Defensive priority

High priority for users of affected smartwatches to review and update their devices, implement additional authentication mechanisms, and monitor for suspicious activity.

Recommended defensive actions

  • Review device configurations and update firmware if available
  • Implement additional authentication mechanisms for GATT Write Request commands
  • Monitor device activity for suspicious behavior
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence is limited; further verification is required to confirm vulnerability details. The CVE record was published on 2026-07-07T23:16:54.773Z and has not been modified since then. The NVD entry is currently Received. Limited source information is available, and additional research is needed to fully understand the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T23:16:54.773Z and has not been modified since then. The NVD entry is currently Received.