CVE-2026-2756 identifies a security vulnerability in the OmniPEMF NeoRhythm product, specifically in the Bluetooth Low Energy (BLE) Interface component. The vulnerability arises from missing authentication controls, allowing an attacker within the local network to interact with the device without proper verification. The affected version is up to 20260308. The attack vector is local network access, meaning the attacker must be physically or logically close to the device's Bluetooth interface. The exploit requires high complexity, indicating advanced skills or conditions are necessary, and no user interaction or privileges are required to attempt exploitation. The vulnerability impacts confidentiality, integrity, and availability at a low level, as indicated by the CVSS 4.0 score of 2.3. No known exploits exist in the wild, and the vendor has not issued any patches or responded to the disclosure. The lack of authentication could allow unauthorized commands or data manipulation, potentially disrupting device operation or leaking sensitive information. However, the difficulty of exploitation and limited attack surface reduce the immediate threat level. Organizations using NeoRhythm devices should be aware of this vulnerability and consider network segmentation and monitoring to mitigate risk.

The potential impact of CVE-2026-2756 is relatively low due to the high complexity of exploitation and the requirement for local network access. However, if exploited, unauthorized actors could manipulate the NeoRhythm device via its BLE interface, potentially affecting the device's operation and leading to minor confidentiality and integrity breaches. This could disrupt device functionality or cause incorrect therapeutic outputs, which might affect users relying on the device for wellness or health purposes. Since the device operates in close proximity to users, any manipulation could undermine trust and safety. The absence of authentication increases the risk of unauthorized access, but the limited attack vector and difficulty reduce widespread impact. Organizations with NeoRhythm devices in healthcare, wellness centers, or personal use environments should consider the risk moderate but manageable with proper controls.

To mitigate CVE-2026-2756, organizations should implement strict local network access controls to limit Bluetooth interface exposure. Segment networks to isolate NeoRhythm devices from general user or guest networks, reducing the chance of unauthorized local access. Employ Bluetooth monitoring tools to detect unusual connection attempts or device behavior. Since no patches are currently available, consider disabling Bluetooth connectivity when not in use or using physical controls to restrict device access. Educate users about the risks of connecting to unknown or untrusted local networks. Additionally, maintain an inventory of affected devices and monitor vendor communications for future patches or updates. If possible, implement compensating controls such as VPNs or secure tunnels for remote access to local networks housing these devices. Finally, conduct regular security assessments focusing on BLE interfaces and local network vulnerabilities.