# Critical Vulnerability in Fourth Frontier Devices Exposes Patient Data **CISA** has issued an advisory regarding a critical vulnerability affecting **Fourth Frontier**'s Frontier X mobile application and Frontier X2 wearable devices. Successful exploitation could allow attackers to read and write arbitrary handle values, change clinical readings, and ultimately take control of the device, potentially leading to patient harm. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-148-01.json) ## Affected Products The following versions are affected: * Frontier X Android application versions prior to v15.0.0 * Frontier X iOS application versions prior to v25.0.0 * Frontier X2: All versions | CVSS | Vendor | Equipment | Vulnerabilities | | :----- | :-------------- | :-------------------------------------------------------------------------------------------------------- | :------------------------------------------------ | | v3 8.8 | Fourth Frontier | Fourth Frontier Frontier X Mobile Application, Frontier X2 | Missing Authentication for Critical Function | ### Background * **Critical Infrastructure Sectors:** Healthcare and Public Health * **Countries/Areas Deployed:** Worldwide * **Company Headquarters Location:** United States --- ## Vulnerability Details: CVE-2026-5768 The Frontier X2 device allows unauthenticated Bluetooth Low Energy (BLE) read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This enables attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and manipulating characteristic values to induce unexpected behavior. Furthermore, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-5768) --- ### Affected Products **Vendor:** Fourth Frontier **Product Version:** Frontier X Android application: <v15.0.0, Frontier X IOS application: <v25.0.0, Frontier X2: vers:all/* **Product Status:** known_affected **Relevant CWE:** [CWE-306 Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) --- ## Mitigation Strategies **CISA** recommends the following defensive measures to minimize the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. * Perform proper impact analysis and risk assessment prior to deploying defensive measures. **CISA** encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA** for tracking and correlation against other incidents. Currently, there are no known public reports of exploitation specifically targeting this vulnerability. The vulnerability is not exploitable remotely. --- ## Acknowledgments Shakir Zari and Jerin Sunny reported this vulnerability to **CISA**. --- ## Revision History * **Initial Release Date:** 2026-05-28 | Date | Revision | Summary | | :--------- | :------- | :----------------- | | 2026-05-28 | 1 | Initial Publication | --- ## Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).