Cyber Resilience

CVE-2026-2065

Medium

Published: 06 February 2026

Published
06 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2065 is a medium-severity Improper Authentication (CWE-287) vulnerability in Flycatcher Smart Pixelator Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-2065 is a security vulnerability in Flycatcher Toys smART Pixelator 2.0, specifically affecting an unknown functionality within its Bluetooth Low Energy Interface component. The flaw stems from missing authentication, mapped to CWEs-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-06.

Attackers on the local network can exploit this issue with low complexity, no required privileges, and no user interaction. Manipulation of the vulnerable component enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or control over affected device functions.

VulDB advisories (ctiid.344632, id.344632) and a GitHub repository (davidrxchester/smart-pixelator-upload) hosting a proof-of-concept exploit (poc.py) confirm the issue, noting that the vendor was contacted early but provided no response. No patches or official mitigations are available.

The exploit has been publicly released and may be used for attacks, increasing the risk for exposed devices on local networks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed…

more

from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Missing authentication on BLE interface directly enables exploitation of the device's remote service for unauthorized access/control.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27182Shared CWE-306
CVE-2026-21633Shared CWE-287
CVE-2024-6107Shared CWE-287
CVE-2026-24241Shared CWE-287
CVE-2026-26742Shared CWE-862
CVE-2025-13779Shared CWE-306
CVE-2026-41352Shared CWE-862
CVE-2026-22727Shared CWE-306
CVE-2025-7862Shared CWE-287, CWE-306
CVE-2026-2249Shared CWE-287, CWE-306

Affected Assets

flycatcher
smart pixelator firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication before allowing any manipulation of the BLE interface functions, blocking the missing-authentication flaw exploited by CVE-2026-2065.

prevent

Requires cryptographic or mutual device identification and authentication for all Bluetooth Low Energy connections, directly closing the unauthenticated access vector in the smART Pixelator.

prevent

Mandates authentication and encryption for wireless (BLE) network access, limiting the local-network attack surface described in the CVE.

References