CVE-2026-4584 - Vulnerability Details

- Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission

Description

A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-23

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Cardholder Data Handler component of Shenzhen HCC Technology's MPOS M6 PLUS 1V.31‑N allows an attacker to manipulate the system so that sensitive cardholder data is transmitted in cleartext. This vulnerability, categorized as CWE‑310 and CWE‑319, exposes customer payment information to anyone who can observe the local network traffic, leading to direct confidentiality compromise.

Affected Systems

The affected product is the MPOS M6 PLUS handheld payment terminal produced by Shenzhen HCC Technology, specifically version 1V.31‑N. The flaw is present in an unknown part of the Cardholder Data Handler component, and the exploit requires local network access to the device.

Risk and Exploitability

The CVSS base score is 2.3, indicating a low overall severity, and no EPSS or KEV listing is available, which suggests limited public exploitation. However, the attack requires local network connectivity, high complexity, and is considered difficult to exploit. Because cardholder data is exposed in cleartext, the risk to confidentiality is significant if an attacker is able to intercept the traffic, even though the overall likelihood of exploitation is low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Shenzhen HCC Technology

MPOS M6 PLUS

affected

Version	Status	Constraints
`1V.31-N`	affected	—

No data.

Vendor Product Confidence Versions

Shenzhen Hcc Technology

Mpos M6 Plus

100%

Version	Status	Scheme	Platform
`1V.31-N`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Contact Shenzhen HCC Technology for a firmware patch addressing the cleartext transmission flaw.
If a patch is not available, isolate the MPOS M6 PLUS device from other local network segments and enforce strict firewall rules limiting outbound connections.
Enable logging and forensic monitoring for outbound transmissions containing cardholder data to detect potential leaks.
Regularly review and update security policies to ensure that card data is transmitted only over secure channels when the device is operational.

Generated by OpenCVE AI on March 23, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md
https://vuldb.com/?ctiid.352421
https://vuldb.com/?id.352421
https://vuldb.com/?submit.775435

History

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shenzhen Hcc Technology Shenzhen Hcc Technology mpos M6 Plus
Vendors & Products		Shenzhen Hcc Technology Shenzhen Hcc Technology mpos M6 Plus

Mon, 23 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission
Weaknesses		CWE-310 CWE-319
References		https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md https://vuldb.com/?ctiid.352421 https://vuldb.com/?id.352421 https://vuldb.com/?submit.775435
Metrics		cvssV2_0 `{'score': 1.8, 'vector': 'AV:A/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.1, 'vector': 'CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Shenzhen Hcc Technology Mpos M6 Plus

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-23T11:14:52.147Z

Updated: 2026-03-23T13:52:24.305Z

Reserved: 2026-03-22T08:59:05.897Z

Link: CVE-2026-4584

Vulnrichment

Updated: 2026-03-23T13:52:20.320Z

NVD

Status : Deferred

Published: 2026-03-23T12:16:23.450

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4584

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:49:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object