CVE-2026-4582
Missing Authentication in Shenzhen HCC MPOS Bluetooth Component
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhen_hcc_technology | mpos_m6_plus | 1.31-n |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing stronger authentication mechanisms for the Bluetooth communication of the terminal.
- Implement HMAC-SHA256 for symmetric cryptographic authentication to ensure message integrity and authenticity.
- Alternatively, implement TLS 1.3 to provide mutual authentication, encryption, and perfect forward secrecy.
- Add device pairing validation using existing Bluetooth pairing mechanisms as a lower-cost but less secure mitigation.
These steps help prevent unauthorized command injection and protect sensitive transaction data.
Can you explain this vulnerability to me?
The CVE-2026-4582 vulnerability affects the Bluetooth protocol of the Shenzhen HCC Technology MPOS M6 PLUS device. It is caused by missing cryptographic authentication, meaning the device does not verify the legitimacy of connected Bluetooth devices or commands. Instead, it uses only a trivial single-byte XOR checksum for integrity, which is not secure and can be easily bypassed by an attacker. This allows any Bluetooth device to inject arbitrary transaction commands without proper authentication.
The attack requires an attacker to be within the local network and have a Bluetooth adapter, knowledge of the terminalβs MAC address, and understanding of the protocol. The attacker can connect to the terminal, craft malicious commands, recalculate the XOR checksum, and send commands that the terminal will process without verifying authenticity.
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality and integrity. An attacker can query sensitive data including full cardholder information, compromising confidentiality. They can also manipulate transaction parameters such as transaction amounts, cardholder verification methods, CVM limits, currency codes, and timestamps, affecting the integrity of transactions.
Because the protocol lacks authentication and anti-replay protections, attackers can perform unlimited unauthorized transactions, potentially causing financial loss and fraud. The scope of the impact extends beyond the device itself to downstream systems like acquirers and issuers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by scanning for Bluetooth devices and identifying the Shenzhen HCC Technology MPOS M6 PLUS terminals on the local network. Tools like 'hcitool scan' can be used to discover the terminal's MAC address."}, {'type': 'paragraph', 'content': 'Once the device is identified, Bluetooth sniffing can be performed to analyze the protocol structure and check for the lack of cryptographic authentication and the use of a trivial single-byte XOR checksum.'}, {'type': 'list_item', 'content': "Use the command 'hcitool scan' to discover Bluetooth devices and obtain the MAC address of the terminal."}, {'type': 'list_item', 'content': 'Use Bluetooth sniffing tools to capture and analyze the communication to verify the absence of proper authentication mechanisms.'}] [1]