Skip to main content

Vivo PcSuite CVE-2026-12058

| EUVDEUVD-2026-36392 MEDIUM
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
2026-06-12 Vivo GHSA-c7fv-2wx9-32wh
5.3
CVSS 4.0 · Vendor: Vivo
Share

Severity by source

Vendor (Vivo) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Adjacent vector and no privileges required per pop-up bypass nature; only low integrity impact with no confidentiality or availability consequences.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Vivo).

CVSS VectorVendor: Vivo

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 08:44 vuln.today

DescriptionCVE.org

The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.

AnalysisAI

Vivo PcSuite's connection confirmation pop-up - a security gate that prompts users to authorize PC-to-device connections - can be bypassed by an adjacent unauthenticated attacker, rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision). All versions of PcSuite are listed as affected per the wildcard CPE (cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:*), and the attack requires only adjacent network positioning with no privileges or user interaction. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, keeping real-world urgency moderate.

Technical ContextAI

Vivo PcSuite is a PC-connectivity application that manages data transfer and device interaction between Vivo Android smartphones and Windows PCs, typically over USB or local wireless interfaces. CWE-807 (Reliance on Untrusted Inputs in a Security Decision) identifies the root cause: the software makes a security-relevant trust decision - whether to allow a connection - based on an input that an attacker in adjacent proximity can influence or spoof. This class of flaw commonly manifests when confirmation dialogs rely on client-side signals, unvalidated identifiers, or interceptable handshake values rather than a cryptographically bound or server-enforced challenge. The adjacent attack vector (AV:A in CVSS 4.0) is consistent with a connection negotiation protocol conducted over a local interface such as USB, Bluetooth, or LAN, where an attacker must be co-located to inject or replay the bypass input.

RemediationAI

Consult the Vivo security advisory at https://www.vivo.com/en/support/security-advisory-detail?id=23 for the latest patch guidance - no specific fixed version number was confirmed from the available data, so the advisory should be treated as the authoritative source. As a compensating control while a patch is pending or evaluated, users should disable or avoid use of the specific PcSuite feature associated with the connection confirmation flow, particularly in untrusted network environments such as public Wi-Fi or shared USB hubs. Restricting PcSuite connectivity to trusted, isolated networks (e.g., dedicated USB connections to known machines only) reduces adjacency exposure. Note that disabling the feature entirely may impair data-transfer or device-management workflows - organizations should weigh this against the low-integrity-impact risk profile.

Share

CVE-2026-12058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy