Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent vector and no privileges required per pop-up bypass nature; only low integrity impact with no confidentiality or availability consequences.
Primary rating from Vendor (Vivo).
CVSS VectorVendor: Vivo
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed.
AnalysisAI
Vivo PcSuite's connection confirmation pop-up - a security gate that prompts users to authorize PC-to-device connections - can be bypassed by an adjacent unauthenticated attacker, rooted in CWE-807 (Reliance on Untrusted Inputs in a Security Decision). All versions of PcSuite are listed as affected per the wildcard CPE (cpe:2.3:a:vivo:pcsuite:*:*:*:*:*:*:*:*), and the attack requires only adjacent network positioning with no privileges or user interaction. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, keeping real-world urgency moderate.
Technical ContextAI
Vivo PcSuite is a PC-connectivity application that manages data transfer and device interaction between Vivo Android smartphones and Windows PCs, typically over USB or local wireless interfaces. CWE-807 (Reliance on Untrusted Inputs in a Security Decision) identifies the root cause: the software makes a security-relevant trust decision - whether to allow a connection - based on an input that an attacker in adjacent proximity can influence or spoof. This class of flaw commonly manifests when confirmation dialogs rely on client-side signals, unvalidated identifiers, or interceptable handshake values rather than a cryptographically bound or server-enforced challenge. The adjacent attack vector (AV:A in CVSS 4.0) is consistent with a connection negotiation protocol conducted over a local interface such as USB, Bluetooth, or LAN, where an attacker must be co-located to inject or replay the bypass input.
RemediationAI
Consult the Vivo security advisory at https://www.vivo.com/en/support/security-advisory-detail?id=23 for the latest patch guidance - no specific fixed version number was confirmed from the available data, so the advisory should be treated as the authoritative source. As a compensating control while a patch is pending or evaluated, users should disable or avoid use of the specific PcSuite feature associated with the connection confirmation flow, particularly in untrusted network environments such as public Wi-Fi or shared USB hubs. Restricting PcSuite connectivity to trusted, isolated networks (e.g., dedicated USB connections to known machines only) reduces adjacency exposure. Note that disabling the feature entirely may impair data-transfer or device-management workflows - organizations should weigh this against the low-integrity-impact risk profile.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36392
GHSA-c7fv-2wx9-32wh