How the M6Plus Bluetooth POS Can Reverse‑Hijack Your PC via CVE‑2026‑4583

What is M6Plus?

M6Plus is a compact Bluetooth card‑reader used in small shops and delivery points. It pairs with a phone or computer app over BLE to process payments, and the host device normally issues commands while the terminal acts as a passive peripheral.

Core vulnerability (CVE‑2026‑4583)

Lack of encryption

The BLE protocol implemented by M6Plus transmits all data in clear text. Any attacker within Bluetooth range can capture the traffic without needing a key.

No replay protection

Instead of attaching a random nonce or timestamp to each command, the protocol accepts a fixed token. An attacker can record a legitimate command and replay it later, causing the device to execute the stale instruction.

Weak checksum

Integrity is verified with a single‑byte XOR checksum. An attacker who modifies the payload can recompute the XOR value, allowing forged commands to be accepted.

Attack chain

Impersonation – a phone or BLE development board emulates an M6Plus device.

Injection – using the replay and checksum flaws, the attacker sends a specially crafted packet containing malicious code.

Overflow – if the host driver contains a buffer‑overflow vulnerability, the malicious packet can execute arbitrary code in memory.

Takeover – the attacker gains highest‑privilege administrator access on the victim computer.

The entire chain can be triggered from within a 10‑meter Bluetooth radius, effectively turning the wireless link into a backdoor.

Threat amplification

The vulnerability targets the communication protocol, not the hardware. Consequently, an attacker does not need a physical M6Plus unit. A rooted Android phone equipped with open‑source BLE tools such as Scapy or a custom BLE‑emulation app can fully mimic the device and continuously broadcast forged handshake packets. This lowers the attack barrier from purchasing specific hardware to merely installing a malicious app, expanding the potential attack surface dramatically.

Implications

Host software typically trusts connected peripherals, assuming they are benign. When a forged M6Plus packet is parsed without strict validation, peripheral hijacking can occur, allowing remote code execution and privilege escalation on the paired computer or mobile device.

Mitigations

Apply firmware updates that address CVE‑2026‑4583 as soon as they are released by the manufacturer.

Enforce BLE Secure Connections (LE Secure Connections) to ensure encrypted pairing.

Introduce an application‑layer challenge‑response authentication mechanism to prevent replay attacks.