Executive Summary

The CVE-2026-4584 vulnerability affects the Shenzhen HCC Technology MPOS M6 PLUS payment terminal. It causes the terminal to transmit complete cardholder data in cleartext hexadecimal over Bluetooth when responding to transaction commands.

Exposed data includes the full Primary Account Number (PAN), Track 2 equivalent data (which contains PAN, expiry, service code, and discretionary data), cardholder name, and expiration date. This violates PCI-DSS security requirements and enables attackers to passively collect sensitive information.

Attackers can capture this data silently over Bluetooth without merchant awareness, enabling card cloning, identity theft, and card-not-present fraud. Additionally, attackers can replay recorded transaction commands to harvest multiple sets of cardholder data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to serious security impacts including exposure of full cardholder data, which enables card cloning and card-not-present fraud.

• Exposure of the full Primary Account Number (PAN) allows attackers to create cloned magnetic stripe cards.
• Exposure of cardholder name and expiration date facilitates identity theft and social engineering attacks.
• Attackers can passively collect sensitive data over Bluetooth without detection.
• Replay attacks allow attackers to harvest multiple sets of cardholder data by mimicking legitimate transaction commands.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability violates PCI-DSS requirements 3.2, 3.3, 3.4, and 4.2 by transmitting sensitive cardholder data in cleartext without proper masking or encryption.

Such violations can lead to non-compliance with PCI-DSS standards, which are critical for protecting payment card data.

While the CVE description and resources do not explicitly mention GDPR or HIPAA, exposure of sensitive personal data like cardholder names and payment information could potentially impact compliance with data protection regulations that require safeguarding personal data.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring Bluetooth traffic near the affected Shenzhen HCC Technology MPOS M6 PLUS device for cleartext transmission of sensitive cardholder data. Specifically, capturing and analyzing Bluetooth packets for unencrypted hexadecimal data containing full Primary Account Number (PAN), Track 2 equivalent data, cardholder name, and expiry date can indicate exploitation.'}, {'type': 'paragraph', 'content': "Commands to detect this may include using Bluetooth packet capture tools such as 'hcidump' or 'bluetoothctl' on Linux, or specialized Bluetooth sniffers, to capture traffic. For example, using 'sudo hcidump -X' to capture raw Bluetooth packets and then filtering for data patterns matching cardholder information in hexadecimal format."}, {'type': 'paragraph', 'content': 'Additionally, replaying captured transaction commands to the terminal and observing if cleartext cardholder data is returned can confirm the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing PAN masking to limit exposure of the full card number, although this alone does not fully comply with PCI-DSS requirements or protect Track 2 data.

Removing sensitive data tags from the transmitted Bluetooth data is recommended as it eliminates most PCI-DSS violations with minimal code changes and maintains backward compatibility.

The best practice is to implement end-to-end encryption of the cardholder data transmitted over Bluetooth, ensuring full PCI-DSS compliance and protection even if Bluetooth communications are intercepted. This requires application changes, key management, and handling larger response sizes.

Additionally, addressing missing cryptographic authentication and anti-replay protections will help prevent man-in-the-middle attacks and data harvesting from replayed transactions.

Useful 0 Not Useful 0