CVE-2026-4582
Received Received - Intake
Missing Authentication in Shenzhen HCC MPOS Bluetooth Component

Publication date: 2026-03-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the local network. Attacks of this nature are highly complex. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4582
EUVD
EUVD-2026-14394
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shenzhen_hcc_technology mpos_m6_plus 1.31-n
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include implementing stronger authentication mechanisms for the Bluetooth communication of the terminal.

  • Implement HMAC-SHA256 for symmetric cryptographic authentication to ensure message integrity and authenticity.
  • Alternatively, implement TLS 1.3 to provide mutual authentication, encryption, and perfect forward secrecy.
  • Add device pairing validation using existing Bluetooth pairing mechanisms as a lower-cost but less secure mitigation.

These steps help prevent unauthorized command injection and protect sensitive transaction data.

Executive Summary

The CVE-2026-4582 vulnerability affects the Bluetooth protocol of the Shenzhen HCC Technology MPOS M6 PLUS device. It is caused by missing cryptographic authentication, meaning the device does not verify the legitimacy of connected Bluetooth devices or commands. Instead, it uses only a trivial single-byte XOR checksum for integrity, which is not secure and can be easily bypassed by an attacker. This allows any Bluetooth device to inject arbitrary transaction commands without proper authentication.

The attack requires an attacker to be within the local network and have a Bluetooth adapter, knowledge of the terminal’s MAC address, and understanding of the protocol. The attacker can connect to the terminal, craft malicious commands, recalculate the XOR checksum, and send commands that the terminal will process without verifying authenticity.

Impact Analysis

This vulnerability can have a high impact on confidentiality and integrity. An attacker can query sensitive data including full cardholder information, compromising confidentiality. They can also manipulate transaction parameters such as transaction amounts, cardholder verification methods, CVM limits, currency codes, and timestamps, affecting the integrity of transactions.

Because the protocol lacks authentication and anti-replay protections, attackers can perform unlimited unauthorized transactions, potentially causing financial loss and fraud. The scope of the impact extends beyond the device itself to downstream systems like acquirers and issuers.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by scanning for Bluetooth devices and identifying the Shenzhen HCC Technology MPOS M6 PLUS terminals on the local network. Tools like 'hcitool scan' can be used to discover the terminal's MAC address."}, {'type': 'paragraph', 'content': 'Once the device is identified, Bluetooth sniffing can be performed to analyze the protocol structure and check for the lack of cryptographic authentication and the use of a trivial single-byte XOR checksum.'}, {'type': 'list_item', 'content': "Use the command 'hcitool scan' to discover Bluetooth devices and obtain the MAC address of the terminal."}, {'type': 'list_item', 'content': 'Use Bluetooth sniffing tools to capture and analyze the communication to verify the absence of proper authentication mechanisms.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4582. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart