CVE-2026-4583
Authentication Bypass via Replay in Shenzhen HCC Bluetooth Handler
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shenzhen_hcc_technology | mpos_m6_plus | 1.31-n |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-294 | A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-4583 vulnerability affects the Bluetooth protocol of the Shenzhen HCC Technology MPOS M6 PLUS device. It lacks anti-replay protection mechanisms, allowing an attacker to capture legitimate Bluetooth commands and replay them repeatedly. This causes the terminal to process each replay as a new, independent transaction, effectively bypassing authentication.
The protocol is missing standard anti-replay controls such as nonces, timestamp validation, sequence counters, session identifiers, and command deduplication. Although commands contain a timestamp tag, the terminal does not validate it, making the timestamp ineffective against replay attacks.
The attack requires Bluetooth proximity, low complexity, no privileges or authentication, but does require user interaction to capture legitimate transactions.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized multiplication of transactions on the affected terminal. For example, a single approved transaction of R$ 100 can be replayed multiple times, resulting in unlimited unauthorized charges.
While the attack does not impact confidentiality or availability, it has a high impact on integrity because it allows attackers to bypass authentication and perform fraudulent transactions without detection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Bluetooth protocol of the M6PLUS terminal lacking anti-replay protections, allowing capture and replay of legitimate commands. Detection involves monitoring for repeated identical Bluetooth commands that result in multiple identical transactions.
Since the attack requires Bluetooth proximity and involves replaying captured packets, detection can be done by capturing Bluetooth traffic and analyzing it for repeated command packets with the proprietary Tag 1F03 timestamp that does not change or is not validated.
Specific commands to detect this vulnerability are not provided in the resources. However, using Bluetooth packet capture tools (e.g., hcidump or Wireshark with Bluetooth support) to capture and analyze traffic for repeated identical commands could help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Bluetooth access to trusted devices only and limiting physical proximity to the terminal to prevent attackers from capturing Bluetooth commands.
Since the vulnerability arises from missing anti-replay protections such as nonces, timestamp validation, sequence counters, and command deduplication, the recommended remediation is to implement cryptographic nonces and timestamp validation in the Bluetooth protocol handling.
As the vendor has not responded, and no patches are available, physical security and network segmentation to isolate the device from untrusted Bluetooth devices are critical immediate steps.