Which versions of Mpos M6 Plus are affected by EUVD-2026-14408?

CVE-2026-4584 is a low-severity vulnerability in A flaw (CVSS 3.1). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.

Is there a public PoC exploit available for EUVD-2026-14408?

Yes, a public proof-of-concept exploit is available for EUVD-2026-14408. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-14408?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Mpos M6 Plus EUVD-2026-14408

Q: What is the CVSS score of EUVD-2026-14408?

EUVD-2026-14408 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-4584 LOW

Cleartext Transmission of Sensitive Information (CWE-319)

2026-03-23 VulDB

GHSA-vmxp-224r-5qhc

Information Disclosure Mpos M6 Plus

1.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.3 LOW

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

2.3 (LOW) 1.3 (LOW)

CVSS changed

Apr 24, 2026 - 16:37 NVD

3.1 (LOW) 2.3 (LOW)

PoC Detected

Mar 23, 2026 - 14:31 vuln.today

Public exploit code

EUVD ID Assigned

Mar 23, 2026 - 11:45 euvd

EUVD-2026-14408

Analysis Generated

Mar 23, 2026 - 11:45 vuln.today

CVE Published

Mar 23, 2026 - 11:14 nvd

LOW 3.1

DescriptionCVE.org

A flaw has been found in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. This affects an unknown part of the component Cardholder Data Handler. Executing a manipulation can lead to cleartext transmission of sensitive information. The attack requires access to the local network. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

The Shenzhen HCC Technology MPOS M6 PLUS device running firmware version 1V.31-N contains a cleartext transmission vulnerability in its Cardholder Data Handler component that allows attackers on the local network to intercept sensitive information. An attacker with network access can manipulate the affected component to force transmission of cardholder data in cleartext, compromising payment card information. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Despite the low CVSS score of 3.1, this vulnerability warrants elevated attention due to several risk factors: first, a public proof-of-concept exists on GitHub (https://github.com/Davim09/m6plusexploit), significantly lowering the barrier to exploitation; second, the vulnerability affects payment processing hardware directly, meaning successful exploitation results in direct compromise of cardholder data (high business impact despite limited technical CVSS impact); third, the vendor (Shenzhen HCC Technology) has not responded to disclosure attempts and no patch timeline exists, leaving affected deployments in perpetual vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker positioned on the same local network as a deployed MPOS M6 PLUS terminal (e.g., shared corporate WiFi, coffee shop network, or compromised network segment) uses the publicly available proof-of-concept code from GitHub to manipulate the Cardholder Data Handler component into transmitting sensitive cardholder information in cleartext. By passively monitoring network traffic or actively triggering payment transactions, the attacker captures full or partial card data including PAN, expiry, and potentially CVV information, which can then be used for fraudulent transactions or sold on underground markets. …
Remediation	Primary remediation is to upgrade the MPOS M6 PLUS firmware to a patched version once available from Shenzhen HCC Technology; however, given the vendor's non-responsiveness, users should contact the vendor directly to request a security patch or consider evaluating alternative payment processing hardware from vendors with active security practices. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-14408 vulnerability details – vuln.today

Back