CVE-2025-69969
Received Received - Intake
Unauthenticated BLE Command Execution and Firmware Hijack in Pebble Prism Ultra

Publication date: 2026-03-04

Last updated on: 2026-03-09

Assigner: MITRE

Description
A lack of authentication and authorization mechanisms in the Bluetooth Low Energy (BLE) communication protocol of SRK Powertech Pvt Ltd Pebble Prism Ultra v2.9.2 allows attackers to reverse engineer the protocol and execute arbitrary commands on the device without establishing a connection. This is exploitable over Bluetooth Low Energy (BLE) proximity (Adjacent), requiring no physical contact with the device. Furthermore, the vulnerability is not limited to arbitrary commands but includes cleartext data interception and unauthenticated firmware hijacking via OTA services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69969
EUVD
EUVD-2025-208281
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pebblepower pebble_prism_ultra_firmware to 2.5.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-69969 is a critical security vulnerability in the Bluetooth Low Energy (BLE) implementation of the Pebble Prism Ultra smartwatch by SRK Powertech Pvt Ltd and other devices using a shared SDK. The vulnerability arises from a lack of proper authentication and encryption mechanisms in the BLE protocol, specifically using the "Just Works" pairing method which provides no man-in-the-middle protection or encryption.'}, {'type': 'paragraph', 'content': 'This flaw allows attackers within Bluetooth range to intercept sensitive data such as SMS, caller ID, and app notifications transmitted in cleartext, and to inject arbitrary commands or spoofed alerts onto the device without establishing a secure connection. Additionally, attackers can hijack the device firmware via unauthenticated over-the-air (OTA) update services, enabling malicious firmware installation.'}, {'type': 'paragraph', 'content': 'The vulnerability exploits weaknesses like missing encryption (CWE-311), cleartext transmission of sensitive information (CWE-319), and missing authentication for critical functions (CWE-306), making it possible to compromise confidentiality, integrity, and availability of the device.'}] [1, 2]

Impact Analysis

This vulnerability can have severe impacts on users of affected devices:

  • Confidentiality: Attackers can passively sniff and intercept sensitive personal data such as SMS messages, caller identities, and two-factor authentication codes transmitted in cleartext over BLE.
  • Integrity: Attackers can inject fraudulent notifications or alerts onto the device, potentially enabling social engineering attacks like fake emergency alerts or false two-factor authentication prompts.
  • Availability: The vulnerability allows unauthenticated firmware hijacking via OTA updates, which can lead to device malfunction, denial of service, or permanent compromise by installing malicious firmware.
  • Supply Chain Risk: Since the vulnerability stems from a shared SDK used by over 30 manufacturers, a wide range of devices are at risk, broadening the potential attack surface.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by analyzing Bluetooth Low Energy (BLE) traffic for unencrypted notification data and unauthorized write requests to the device's GATT characteristics."}, {'type': 'paragraph', 'content': 'One practical approach is to capture HCI Snoop Logs or BLE traffic using tools like Wireshark to inspect packets for cleartext notification data such as SMS, caller ID, or app alerts transmitted in UTF-16LE encoding.'}, {'type': 'paragraph', 'content': 'Additionally, using Linux BLE tools such as gatttool, you can attempt to connect to the device and send write requests to the primary service UUID 0000fee7-0000-1000-8000-00805f9b34fb to test if arbitrary commands or spoofed notifications can be injected without authentication.'}, {'type': 'list_item', 'content': 'Use Wireshark to capture and analyze BLE traffic for unencrypted notification packets.'}, {'type': 'list_item', 'content': 'Run the command: `sudo btmon` or capture HCI logs on Linux to monitor BLE communication.'}, {'type': 'list_item', 'content': "Use `gatttool` to connect and interact with the device's GATT characteristics, for example: `gatttool -b <device_mac> -I` then `connect` and `char-write-req` commands to test write access."}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling sensitive notification permissions in the companion app and avoiding pairing or using the device in untrusted or high-density Bluetooth environments.

Users should also avoid exposing the device to unknown Bluetooth devices within proximity to reduce the risk of unauthorized access or firmware hijacking.

From a vendor perspective, enforcing BLE Security Mode 1, Level 3 (Authenticated Pairing/Bonding) and implementing cryptographic signature verification for OTA firmware updates are critical to fully mitigate the vulnerability.

  • Disable sensitive notification permissions in the FitPro or Pebble Prism Ultra companion app.
  • Avoid pairing or using the device in untrusted or crowded Bluetooth environments.
  • Request or apply firmware updates from the vendor that enforce authenticated pairing and secure OTA updates once available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69969. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart