Security readout for executives and security teams
Plain-English summary
A nearby attacker may be able to trick Bluetooth Mesh provisioning so a device joins without knowing the required authentication value. If successful, the attacker could obtain mesh network and application keys, giving them access to protected mesh communications. Public sources do not identify specific products, patches, or active exploitation.
Executive priority
Prioritize discovery and vendor confirmation. This is not documented as actively exploited, but compromise of mesh keys could affect confidentiality and trust in connected device networks.
Technical view
CVE-2020-26560 affects Bluetooth Mesh profile 1.0 and 1.0.1 provisioning. The issue involves reflecting authentication evidence from a Provisioner, allowing authentication completion without possession of the AuthValue and potentially exposing NetKey and AppKey material. The provided record has no CVSS, CWE, product CPEs, or vendor-specific remediation.
Likely exposure
Exposure is most likely in environments using Bluetooth Mesh devices based on profile 1.0 or 1.0.1, especially where provisioning occurs near untrusted devices. The source bundle does not identify affected vendors or products.
Exploitation context
The CVE requires a nearby device and concerns the provisioning process. The source bundle does not state active exploitation, and CISA KEV status is false, so exploitation should not be assumed public or active.
Researcher notes
Evidence is limited to the CVE description and public references. No affected product matrix, CVSS vector, exploit status, or named patch is present in the supplied bundle. Avoid extrapolating beyond Bluetooth Mesh 1.0 and 1.0.1 provisioning.
Mitigation direction
- Identify Bluetooth Mesh deployments and profile versions in use.
- Ask device vendors whether their products implement affected provisioning behavior.
- Follow Bluetooth SIG, CERT, and vendor remediation guidance when available.
- Restrict provisioning to controlled physical areas with trusted devices nearby.
- Consider key rotation after suspected unauthorized provisioning, if vendor-supported.
Validation and detection
- Inventory devices using Bluetooth Mesh profile 1.0 or 1.0.1.
- Review provisioning records for unexpected nodes or unexplained key distribution.
- Confirm vendor firmware or configuration guidance for each mesh product.
- Verify operational controls around who can provision devices and where.
- Document any devices lacking vendor status or upgrade paths.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2020-26560 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security/CVE reference · x_refsource_MISC
- https://kb.cert.org/vuls/id/799380CVE reference · x_refsource_MISC
- https://www.kb.cert.org/vuls/id/799380CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
