CVE-2023-26980

low-risk
Published 2023-04-14

PAX Technology PAX A920 Pro PayDroid 8.1suffers from a Race Condition vulnerability, which allows attackers to bypass the payment software and force the OS to boot directly to Android during the boot process. NOTE: the vendor disputes this because the attack is not feasible: the home launcher will be loaded before any user applications.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.0/10 High
LOCAL / HIGH complexity

Affected Products (1)

Paydroid

Affected Vendors

Pax

References (6)

Mailing List https://docs.google.com/document/d/189b1494s8RF8ksaOijKhKb-3B8gj3pLUmgn0dqg-jqs/...
Exploit https://drive.google.com/drive/u/0/folders/14X-XTYhkiaIVBS3zf68VigG4-imbKEuV
Broken Link https://uploads.strikinglycdn.com/files/f1d54bf4-3803-480c-b4d3-0943f7dac76e/A92...
Mailing List https://docs.google.com/document/d/189b1494s8RF8ksaOijKhKb-3B8gj3pLUmgn0dqg-jqs/...
Exploit https://drive.google.com/drive/u/0/folders/14X-XTYhkiaIVBS3zf68VigG4-imbKEuV
Broken Link https://uploads.strikinglycdn.com/files/f1d54bf4-3803-480c-b4d3-0943f7dac76e/A92...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal