Triple Threat: CVE-2026-4582/4583/4584 — mPOS Payment Terminal Bluetooth Vulnerabilities Expose Cardholder Data
Three newly published CVEs (CVE-2026-4582, CVE-2026-4583, CVE-2026-4584) affecting the Shenzhen HCC Technology MPOS M6 PLUS payment terminal reveal critical gaps in Bluetooth authentication and cleartext cardholder data handling. Though individually rated low-to-medium severity, the combined attack chain poses real fraud risk in retail and hospitality environments.
Published on March 23, 2026, three linked CVEs target the MPOS M6 PLUS (firmware 1V.31-N), a widely deployed mobile point-of-sale terminal used in retail, hospitality, and pop-up merchant environments. CVE-2026-4582 exposes missing Bluetooth authentication, CVE-2026-4583 enables authentication bypass via capture-replay, and CVE-2026-4584 reveals cardholder data transmitted in cleartext — a trifecta that enables a local attacker to intercept, replay, and steal payment data without device credentials.
Despite CVSS scores that individually sit in the low-to-medium range, the chained exploitation path is alarming for PCI DSS compliance teams. An attacker within Bluetooth range of a transaction can capture authentication tokens (CVE-2026-4583), bypass the device's security handshake (CVE-2026-4582), and then harvest cleartext cardholder data flowing through the device (CVE-2026-4584). A proof-of-concept exploit has been published to GitHub by the original reporter (handle: davimo). Shenzhen HCC Technology has not responded to responsible disclosure and no patches are available.
Security teams managing payment terminal fleets, particularly in environments with open public access (pop-up retail, food service, event venues), should treat this as a high-priority risk. The absence of vendor response and the availability of a PoC escalates urgency significantly beyond raw CVSS scores.
Key Findings
Published on March 23, 2026, three linked CVEs target the MPOS M6 PLUS (firmware 1V
31-N), a widely deployed mobile point-of-sale terminal used in retail, hospitality, and pop-up merchant environments
CVE-2026-4582 exposes missing Bluetooth authentication, CVE-2026-4583 enables authentication bypass via capture-replay, and CVE-2026-4584 reveals cardholder data transmitted in cleartext — a trifecta that enables a local attacker to intercept, replay, and steal payment data without device credentials
Despite CVSS scores that individually sit in the low-to-medium range, the chained exploitation path is alarming for PCI DSS compliance teams
Overview
Three coordinated CVEs affecting the Shenzhen HCC Technology MPOS M6 PLUS mobile payment terminal (firmware version 1V.31-N) were disclosed on March 23, 2026. Published via VulDB and assigned by the CVE Program, the trio targets the device's Bluetooth subsystem and cardholder data handling pipeline. Together, they constitute a practical attack chain against point-of-sale infrastructure in retail, food service, and event environments.
CVE-2026-4582 — Missing Authentication (CWE-306, CWE-287) in the Bluetooth component. CVSS 3.1: 5.0 (Medium). Allows unauthenticated access to device Bluetooth functions from the local network.
CVE-2026-4583 — Authentication Bypass by Capture-Replay (CWE-294) in the Bluetooth Handler. CVSS 4.0: 2.3 (Low). Allows attackers to replay captured Bluetooth auth tokens to bypass security checks.
CVE-2026-4584 — Cleartext Transmission of Sensitive Information (CWE-319) in the Cardholder Data Handler. Allows passive interception of payment card data in transit over Bluetooth.
Technical Analysis
The attack chain exploits a fundamental design weakness in how the M6 PLUS handles Bluetooth-based device authentication and data transmission:
Phase 1 — Token Capture (CVE-2026-4583): An attacker within Bluetooth range passively sniffs Bluetooth communications during a legitimate session. The Bluetooth Handler does not implement replay protection (nonce-based or time-bound tokens), so captured authentication packets can be replayed indefinitely.
Phase 2 — Auth Bypass (CVE-2026-4582): Even without a captured token, the Bluetooth component has code paths where authentication is entirely absent, allowing direct command injection into device functions from the local network.
Phase 3 — Data Harvest (CVE-2026-4584): Once the attacker has established a Bluetooth session (either via replay or unauthenticated access), cardholder data flowing through the Cardholder Data Handler is transmitted in cleartext — primary account numbers (PAN), expiry dates, and potentially track data are exposed over the air.
A public proof-of-concept (PoC) exploit has been published to GitHub (github.com/Davim09/m6plusexploit), lowering the technical bar for exploitation. The attack requires local network/Bluetooth proximity but does not require special privileges or victim interaction. Complexity is rated high — but "high complexity" in CVSS means the attacker needs specific conditions, not advanced skills, and a crowded retail environment makes proximity trivial.
Impact Assessment
Directly Affected Sectors
Retail & Point-of-Sale: High risk — mPOS terminals are used at checkout, in-aisle, and for mobile transactions. Attacker can park near checkout or pose as a customer.
Food Service & Hospitality: High risk — tableside payment, food trucks, pop-up vendors using wireless terminals.
Events & Ticketing: High risk — crowded environments with many simultaneous Bluetooth-enabled payment terminals.
Financial Services / Acquiring Banks: Compliance exposure under PCI DSS 4.0, especially requirements 4.2 (encryption in transit) and 8.x (authentication controls).
PCI DSS Compliance Implications
CVE-2026-4584 (cleartext cardholder data) is a direct violation of PCI DSS Requirement 4.2.1, which mandates strong cryptography for cardholder data transmitted over open or public networks. Organizations deploying affected terminals face potential fines, audit findings, and liability in the event of a breach. QSAs (Qualified Security Assessors) should flag MPOS M6 PLUS firmware 1V.31-N as non-compliant pending vendor remediation.
Indicators of Compromise
Given the Bluetooth attack vector, traditional network-based IOCs are limited. Consider the following detection indicators:
Unexpected Bluetooth device pairing attempts on mPOS terminals
Bluetooth scanning activity (tools like hcitool, btlejuice, or Wireshark BT plugins) detected near terminal locations
Anomalous transaction patterns following proximity events (e.g., multiple declines then successes suggesting replay attempts)
Presence of devices running CVE PoC: github.com/Davim09/m6plusexploit
Recommendations
Immediate Actions (0–72 hours)
Inventory: Identify all deployed Shenzhen HCC Technology MPOS M6 PLUS units, specifically firmware version 1V.31-N.
Disable Bluetooth where possible: If Bluetooth connectivity is not required for your payment workflow, disable it at the device or network level.
Physical security: Enforce supervised access to payment terminal areas. Restrict customer proximity to active terminals.
Contact acquiring bank / payment processor: Notify them of potential compliance exposure and ask about terminal replacement or compensating controls.
Monitor transaction logs: Flag anomalous transaction patterns, especially repeated auth failures followed by success on the same terminal.
Medium-Term Actions (1–4 weeks)
Replace or retire affected terminals: As no vendor patch is available and vendor disclosure attempts went unanswered, plan for terminal replacement. Evaluate alternative mPOS vendors with stronger security track records and responsive disclosure processes.
PCI DSS assessment: Engage QSA for gap assessment if affected terminals are in scope for cardholder data environment (CDE).
Vendor escalation: Attempt direct contact with Shenzhen HCC Technology. If unresponsive, escalate to your acquiring bank and payment card brands (Visa, Mastercard) for formal notification.
Network segmentation: Ensure mPOS terminals are isolated on dedicated network segments with egress filtering.
Long-Term Considerations
Adopt a terminal procurement policy that requires vendors to maintain a published vulnerability disclosure program (VDP) and demonstrate patch responsiveness.
Favor payment terminals with end-to-end encryption (E2EE) and point-to-point encryption (P2PE) validated by PCI SSC.
Bluetooth-enabled payment devices should require mutual authentication with non-replayable tokens (e.g., ECDH key exchange per session).
Critical analysis of Windows 11's current security architecture and essential improvements needed to enhance enterprise security posture. Assessment covers key vulnerabilities, recommended security controls, and strategic remediation priorities for enterprise environments.
AI-powered social engineering attacks are increasingly targeting enterprise employees, leveraging advanced tactics to bypass security controls. These attacks can lead to significant financial losses and compromised sensitive data. This brief provides an overview of the threat landscape and recommendations for mitigation.
Analysis of security and privacy implications regarding GitHub's policy to include private repositories in AI training data. Organizations have until April 24, 2026 to opt out of having their private repository data used for AI model training.
Emerging ransomware group CRYPTO24 has claimed responsibility for a cyberattack against ActionPower, indicating potential data theft and system encryption. This development signals increased activity from the threat actor in the industrial sector.
🔐
Stay Briefed
Get daily cybersecurity threat intelligence delivered to your inbox. No spam, just actionable intel.
