CVE-2023-42134

MEDIUM

PAX Android POS <8.1.0_Sagittarius_V11.1.45_20230314 - Local Code E...

Title source: llm

Description

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The attacker must have physical USB access to the device in order to exploit this vulnerability.

References (4)

[Permissions Required] https://ppn.paxengine.com/release/development

[Exploit, Third Party Advisory] https://blog.stmcyber.com/pax-pos-cves-2023/

[Third Party Advisory] https://cert.pl/en/posts/2024/01/CVE-2023-4818/

[Third Party Advisory] https://cert.pl/posts/2024/01/CVE-2023-4818/

Scores

CVSS v3 6.8

EPSS 0.0023

EPSS Percentile 45.9%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-912

Status published

Products (1)

paxtechnology/paydroid < 8.1.0_sagittarius_v11.1.45_20230314

Published Jan 15, 2024

Tracked Since Feb 18, 2026