Connect with us

Hi, what are you looking for?



Vulnerabilities Expose PAX Payment Terminals to Hacking

Vulnerabilities in Android-based PoS terminals from PAX can be exploited to downgrade bootloaders, execute arbitrary code.

The Android-based PoS (point-of-sale) terminals from PAX Technology are affected by a series of vulnerabilities that can be exploited to execute arbitrary code or commands, penetration testing firm STM Cyber reports.

Headquartered in China, PAX manufactures payment terminals, PIN pads, and PoS hardware and software, which are sold globally. The PoS devices from PAX run on PayDroid, which is based on Android.

According to STM Cyber, while sandboxing prevents applications on the terminal from interacting with one another, an attacker with root access could tamper with any application, including the payment process.

Although the attacker would not be able to access decrypted payment information, they could modify the transaction amount and other related data, STM Cyber, which has identified six vulnerabilities in the PAX PoS devices, explains in a technical report that also includes proof-of-concept (PoC) exploits.

Three of the issues, the firm says, can be exploited by attackers with physical USB access to the vulnerable device.

The first of the bugs, CVE-2023-4818, allows an attacker to downgrade the bootloader of PAX A920 devices to a previous, potentially vulnerable version. Signature checks, however, only allow the loading of bootloaders signed by PAX.

The second issue, CVE-2023-42134, allows an attacker to inject kernel arguments and execute arbitrary code with root privileges on any PAX PoS device. The bug can be exploited in fastboot mode by executing a hidden command to overwrite an unsigned partition.

Next in line is CVE-2023-42135, a similar kernel argument injection flaw leading to code execution by flashing a different unsigned partition. The issue impacts PAX A920Pro/A50 devices.

Advertisement. Scroll to continue reading.

Impacting all PAX PoS terminals, two other vulnerabilities can be exploited by attackers with shell access to a vulnerable device to execute arbitrary commands, STM Cyber explains.

Tracked as CVE-2023-42136, the first of these bugs allows an attacker to inject shell commands that start with a specific word, bypassing existing checks and gaining ‘system’ privileges.

An attacker can exploit the second flaw, CVE-2023-42137, to overwrite arbitrary files and potentially elevate their privileges to system or root.

Details on the sixth security defect, which is tracked as CVE-2023-42133, have not been released.

STM Cyber reported the vulnerabilities to PAX in May 2023 and informed CERT Poland in August. PAX has released patches for all vulnerabilities.

Related: Vulnerability Handling in 2023: 28,000 New CVEs, 84 New CNAs

Related: Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data

Related: 16 Vulnerabilities Found in Firmware of HP Enterprise Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.