{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4584", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T08:59:05.897Z", "datePublished": "2026-03-23T11:14:52.147Z", "dateUpdated": "2026-03-23T13:52:24.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T11:14:52.147Z"}, "title": "Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-319", "lang": "en", "description": "Cleartext Transmission of Sensitive Information"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-310", "lang": "en", "description": "Cryptographic Issues"}]}], "affected": [{"vendor": "Shenzhen HCC Technology", "product": "MPOS M6 PLUS", "versions": [{"version": "1V.31-N", "status": "affected"}], "modules": ["Cardholder Data Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T10:04:15.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "davimo (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352421", "name": "VDB-352421 | Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.352421", "name": "VDB-352421 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775435", "name": "Submit #775435 | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Cleartext Sensitive Data Transmission", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T13:52:15.856043Z", "id": "CVE-2026-4584", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:52:24.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4584", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T13:52:15.856043Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:52:20.320Z"}}], "cna": {"title": "Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission", "credits": [{"lang": "en", "type": "reporter", "value": "davimo (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Shenzhen HCC Technology", "modules": ["Cardholder Data Handler"], "product": "MPOS M6 PLUS", "versions": [{"status": "affected", "version": "1V.31-N"}]}], "timeline": [{"lang": "en", "time": "2026-03-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-22T10:04:15.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352421", "name": "VDB-352421 | Shenzhen HCC Technology MPOS M6 PLUS Cardholder Data cleartext transmission", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.352421", "name": "VDB-352421 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775435", "name": "Submit #775435 | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Cleartext Sensitive Data Transmission", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "Cleartext Transmission of Sensitive Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-310", "description": "Cryptographic Issues"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T11:14:52.147Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4584", "state": "PUBLISHED", "dateUpdated": "2026-03-23T13:52:24.305Z", "dateReserved": "2026-03-22T08:59:05.897Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-23T11:14:52.147Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Esto afecta a una parte desconocida del componente Gestor de Datos del Titular de la Tarjeta. La ejecuci\u00f3n de una manipulaci\u00f3n puede conducir a la transmisi\u00f3n en texto claro de informaci\u00f3n sensible. El ataque requiere acceso a la red local. El ataque requiere un alto nivel de complejidad. Se indica que la explotabilidad es dif\u00edcil. Se contact\u00f3 al proveedor con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4584", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T12:16:23.450", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352421"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352421"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775435"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}, {"lang": "en", "value": "CWE-319"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1V.31-N"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MPOS M6 PLUS", "source": "cna", "vendor": "Shenzhen HCC Technology"}, "product": "mpos_m6_plus", "vendor": "shenzhen_hcc_technology"}], "analysis": {"en": {"generated_at": "2026-03-23T12:21:16.884681+00:00", "value": {"mitigation_remediation": ["Contact Shenzhen HCC Technology for a firmware patch addressing the cleartext transmission flaw.", "If a patch is not available, isolate the MPOS M6 PLUS device from other local network segments and enforce strict firewall rules limiting outbound connections.", "Enable logging and forensic monitoring for outbound transmissions containing cardholder data to detect potential leaks.", "Regularly review and update security policies to ensure that card data is transmitted only over secure channels when the device is operational."], "summary": {"action": "Apply Fix", "impact": "Cleartext transmission of cardholder data"}, "threat_synthesis": {"affected_systems": "The affected product is the MPOS M6 PLUS handheld payment terminal produced by Shenzhen HCC Technology, specifically version 1V.31\u2011N. The flaw is present in an unknown part of the Cardholder Data Handler component, and the exploit requires local network access to the device.", "description_and_impact": "A flaw in the Cardholder Data Handler component of Shenzhen HCC Technology's MPOS M6 PLUS 1V.31\u2011N allows an attacker to manipulate the system so that sensitive cardholder data is transmitted in cleartext. This vulnerability, categorized as CWE\u2011310 and CWE\u2011319, exposes customer payment information to anyone who can observe the local network traffic, leading to direct confidentiality compromise.", "risk_and_exploitability": "The CVSS base score is 2.3, indicating a low overall severity, and no EPSS or KEV listing is available, which suggests limited public exploitation. However, the attack requires local network connectivity, high complexity, and is considered difficult to exploit. Because cardholder data is exposed in cleartext, the risk to confidentiality is significant if an attacker is able to intercept the traffic, even though the overall likelihood of exploitation is low."}}}}, "created": "2026-03-24T10:34:46.269536+00:00", "updated": "2026-03-25T14:49:21.851069+00:00", "vendors": ["shenzhen_hcc_technology", "shenzhen_hcc_technology$PRODUCT$mpos_m6_plus"]}