| Title | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Cleartext Sensitive Data Transmission |
|---|
| Description | A vulnerability was found in the Shenzhen JingHanDa M6PLUS Mobile Payment Terminal. The flaw is located within the Bluetooth response messages (RX packets), where the device transmits complete sensitive cardholder data in cleartext following transaction processing. Classified as CWE-319 (Cleartext Transmission of Sensitive Information) and CWE-359 (Exposure of Private Personal Information), this vulnerability exists because the terminal does not implement application-layer encryption for its communication with the mobile app. Consequently, any adversary with Bluetooth sniffing capabilities can intercept and read highly confidential financial information, leading to a severe impact on cardholder confidentiality.
The technical analysis reveals that several critical EMV tags are exposed in an unencrypted ASCII or hexadecimal format. Specifically, the terminal returns the Full PAN (Tag 1F51), Track 2 Equivalent Data (Tag 57), Cardholder Name (Tag 1F55), Card Expiry Date (Tag 1F4E), and a complete EMV IC Data Block (Tag 1F48) containing over 300 bytes of internal chip data. This practice directly violates multiple PCI-DSS v3.2.1 requirements, including Requirement 3.3 (failure to mask PAN), Requirement 3.4 (failure to render PAN unreadable), and Requirement 4.2 (transmission of unprotected PANs). The exposure of the Track 2 data is particularly critical, as it provides sufficient information for physical card cloning and online fraud
This vulnerability is orthogonal to authentication or replay flaws; even if those are fixed, the terminal would still leak sensitive data. Although the manufacturer, Shenzhen JingHanDa Technology Co., Ltd., was already formally contacted, no immediate firmware patches were available at the time of reporting. Recommended mitigations include immediate PAN masking (returning only the last 4 digits), total removal of Track 2 data from responses, and the implementation of AES-256-GCM application-layer encryption. |
|---|
| Source | ⚠️ https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-3-DataExposure.md |
|---|
| User | davimo (UID 79678) |
|---|
| Submission | 03/09/2026 01:41 (1 month ago) |
|---|
| Moderation | 03/22/2026 09:59 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352421 [Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N Cardholder Data cleartext transmission] |
|---|
| Points | 20 |
|---|