Cyberattacks likely with PAX payment terminal bugs

SecurityWeek reports that six vulnerabilities impacting PAX Technology's Android-based point-of-sale terminals that have already been addressed by the China-based payment terminal manufacturer could be leveraged to facilitate further compromise. Threat actors could exploit half of the flaws including CVE-2023-4818, which enables bootloader downgrading, and the kernel argument injection bugs, tracked as CVE-2023-42134, and CVE-2023-42135 to enable physical USB access to targeted devices, according to a report from STM Cyber, which discovered the vulnerabilities. On the other hand, two other bugs could be abused to enable arbitrary command execution among attackers with shell access to devices. Attackers could use the first flaw, tracked as CVE-2023-42136, for shell command injections that would evade security checks and allow system privileges, while the second vulnerability, tracked as CVE-2023-42137, could be leveraged for arbitrary file overwriting and privilege escalation purposes. No additional details regarding the sixth vulnerability were provided by researchers, who reported the bugs in May.