CVE-2024-2104

JBL: Improper BLE security configurations and lack of authentication on the device's GATT server

CVSS 8.8 HIGHEPSS 0.2%CWE-306

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

10 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

JBL · LIVE PRO 2 TWS JBL · TUNE FLEX

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://certvde.com/en/advisories/VDE-2024-076 https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json