CVE-2024-2104 PUBLISHED

JBL: Improper BLE security configurations and lack of authentication on the device's GATT server

Assigner: CERTVDE
Reserved: 01.03.2024 Published: 10.12.2025 Updated: 10.12.2025

Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	JBL
Product	LIVE PRO 2 TWS
Versions	Default: unaffected Version * is affected

Vendor	JBL
Product	TUNE FLEX
Versions	Default: unaffected Version * is affected

CVE-2024-2104 PUBLISHED

JBL: Improper BLE security configurations and lack of authentication on the device's GATT server

Metrics

Product Status

Credits

References

Problem Types