CVE-2018-9119
MEDIUMBrilliantTS FUZE Card BLE and MCU Firmware - Unauthenticated Data Extraction and Tampering via Bluetooth
Title source: llmDescription
An attacker with physical access to a BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4) can unlock the card, extract credit card numbers, and tamper with data on the card via Bluetooth because no authentication is needed, as demonstrated by gatttool.
References (4)
Core 4
Core References
Third Party Advisory
https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html
Third Party Advisory
https://ice9.us/advisories/ICE9-2018-001.txt
Issue Tracking
https://www.reddit.com/r/netsec/comments/89qrp1/stealing_credit_cards_from_fuze_via_bluetooth/
Various Sources
https://www.elttam.com/blog/fuzereview/#content
Scores
CVSS v3
6.1
EPSS
0.0044
EPSS Percentile
35.3%
Attack Vector
PHYSICAL
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-306
Status
published
Products (2)
brilliantts/fuze_card_ble_firmware
0.7.4
brilliantts/fuze_card_mcu_firmware
0.1.73
Published
Apr 04, 2018
Tracked Since
Feb 18, 2026