Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Bluetooth-range adjacent vector with no auth or user interaction; vendor flags both confidentiality and integrity impact while availability is unaffected, so PR:N, UI:N, C:H, I:H, A:N.
Primary rating from Vendor (Vivo).
CVSS VectorVendor: Vivo
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
The authentication mechanism of a certain function in the PcSuite has a defect, which may result in information leakage within the range of a Bluetooth connection.
AnalysisAI
Information disclosure in Vivo PcSuite versions below 6.2.5 allows adjacent attackers within Bluetooth range to bypass an authentication mechanism in a specific function and obtain sensitive data without user interaction. The flaw is tracked as a missing-authentication weakness (CWE-306) reported directly by Vivo and carries a CVSS 4.0 score of 9.4, with no public exploit identified at time of analysis.
Technical ContextAI
Vivo PcSuite is the desktop companion application Vivo ships for managing its Android smartphones, handling device synchronization, backups, and data transfer over USB and Bluetooth pairings. The root cause is CWE-306 (Missing Authentication for Critical Function): a function exposed over the Bluetooth transport does not adequately verify the identity of the requesting peer, so any device within wireless range that can establish or piggyback on a Bluetooth connection can reach functionality that should require an authenticated, paired session. The CPE cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:* indicates the flaw spans all builds of the PcSuite application prior to the fixed 6.2.5 release rather than being tied to a specific phone firmware.
RemediationAI
Upgrade Vivo PcSuite to version 6.2.5 or later as documented in the vendor advisory at https://www.vivo.com/en/support/security-advisory-detail?id=22, since this is the only confirmed fix. Until the upgrade can be deployed, reduce exposure by disabling Bluetooth on hosts running PcSuite when it is not actively in use, unpairing untrusted devices, and avoiding running PcSuite in untrusted RF environments such as conferences, cafes, and open-plan public spaces; note the trade-off that disabling Bluetooth breaks legitimate phone synchronization. Restricting Bluetooth discoverability and using OS-level Bluetooth allowlists where supported further narrows the attacker pool without disabling functionality entirely.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36391
GHSA-62wc-8jj5-4mxm