Skip to main content

Vivo PcSuite CVE-2026-11535

| EUVDEUVD-2026-36391 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-12 Vivo GHSA-62wc-8jj5-4mxm
9.4
CVSS 4.0 · Vendor: Vivo
Share

Severity by source

Vendor (Vivo) PRIMARY
9.4 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 CRITICAL

Bluetooth-range adjacent vector with no auth or user interaction; vendor flags both confidentiality and integrity impact while availability is unaffected, so PR:N, UI:N, C:H, I:H, A:N.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Vivo).

CVSS VectorVendor: Vivo

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 12, 2026 - 11:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 11:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 11:22 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 11:22 NVD
HIGH CRITICAL
CVSS changed
Jun 12, 2026 - 11:22 NVD
8.7 (HIGH) 9.4 (CRITICAL)
Analysis Generated
Jun 12, 2026 - 08:44 vuln.today

DescriptionCVE.org

The authentication mechanism of a certain function in the PcSuite has a defect, which may result in information leakage within the range of a Bluetooth connection.

AnalysisAI

Information disclosure in Vivo PcSuite versions below 6.2.5 allows adjacent attackers within Bluetooth range to bypass an authentication mechanism in a specific function and obtain sensitive data without user interaction. The flaw is tracked as a missing-authentication weakness (CWE-306) reported directly by Vivo and carries a CVSS 4.0 score of 9.4, with no public exploit identified at time of analysis.

Technical ContextAI

Vivo PcSuite is the desktop companion application Vivo ships for managing its Android smartphones, handling device synchronization, backups, and data transfer over USB and Bluetooth pairings. The root cause is CWE-306 (Missing Authentication for Critical Function): a function exposed over the Bluetooth transport does not adequately verify the identity of the requesting peer, so any device within wireless range that can establish or piggyback on a Bluetooth connection can reach functionality that should require an authenticated, paired session. The CPE cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:* indicates the flaw spans all builds of the PcSuite application prior to the fixed 6.2.5 release rather than being tied to a specific phone firmware.

RemediationAI

Upgrade Vivo PcSuite to version 6.2.5 or later as documented in the vendor advisory at https://www.vivo.com/en/support/security-advisory-detail?id=22, since this is the only confirmed fix. Until the upgrade can be deployed, reduce exposure by disabling Bluetooth on hosts running PcSuite when it is not actively in use, unpairing untrusted devices, and avoiding running PcSuite in untrusted RF environments such as conferences, cafes, and open-plan public spaces; note the trade-off that disabling Bluetooth breaks legitimate phone synchronization. Restricting Bluetooth discoverability and using OS-level Bluetooth allowlists where supported further narrows the attacker pool without disabling functionality entirely.

Share

CVE-2026-11535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy