CVE-2023-4818 - Vulnerability Details - OpenCVE

PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Paxtechnology	A920 Paydroid

Configuration 1 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:7.1.2_aquarius_11.1.50_20230614:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development

History

Tue, 17 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 10 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 10 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
Description	PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability.	PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability.

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-01-15T13:28:53.084Z

Updated: 2025-06-17T13:36:53.048Z

Reserved: 2023-09-07T13:18:09.776Z

Link: CVE-2023-4818

Vulnrichment

Updated: 2024-08-02T07:38:00.703Z

NVD

Status : Modified

Published: 2024-01-15T14:15:25.180

Modified: 2025-06-17T14:15:27.577

Link: CVE-2023-4818

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4818", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2023-09-07T13:18:09.776Z", "datePublished": "2024-01-15T13:28:53.084Z", "dateUpdated": "2025-06-17T13:36:53.048Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "A920", "vendor": "PAX Technology", "versions": [{"lessThan": "A920_AP_Boot_Release_V5.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hubert Jasudowicz, Adam Kli\u015b and other members of STM Cyber R&D team"}], "datePublic": "2024-01-15T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><span style=\"background-color: rgba(221, 223, 228, 0.1);\">PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. </span></div><div><span style=\"background-color: rgba(221, 223, 228, 0.1);\"><div><br></div>The attacker must have physical USB access to the device in order to exploit this vulnerability.</span></div>"}], "value": "PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.\u00a0\n\n\n\n\nThe attacker must have physical USB access to the device in order to exploit this vulnerability."}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:00.867Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://ppn.paxengine.com/release/development"}, {"tags": ["technical-description"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.703Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://ppn.paxengine.com/release/development"}, {"tags": ["technical-description", "x_transferred"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-17T13:36:16.229654Z", "id": "CVE-2023-4818", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T13:36:53.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://ppn.paxengine.com/release/development", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://blog.stmcyber.com/pax-pos-cves-2023/", "tags": ["technical-description", "x_transferred"]}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.703Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-4818", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-17T13:36:16.229654Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T13:36:45.510Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hubert Jasudowicz, Adam Kli\u015b and other members of STM Cyber R&D team"}], "impacts": [{"capecId": "CAPEC-176", "descriptions": [{"lang": "en", "value": "CAPEC-176 Configuration/Environment Manipulation"}]}], "affected": [{"vendor": "PAX Technology", "product": "A920", "versions": [{"status": "affected", "version": "0", "lessThan": "A920_AP_Boot_Release_V5.14", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2024-01-15T11:00:00.000Z", "references": [{"url": "https://ppn.paxengine.com/release/development", "tags": ["vendor-advisory"]}, {"url": "https://blog.stmcyber.com/pax-pos-cves-2023/", "tags": ["technical-description"]}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.\u00a0\n\n\n\n\nThe attacker must have physical USB access to the device in order to exploit this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<div><span style=\"background-color: rgba(221, 223, 228, 0.1);\">PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. </span></div><div><span style=\"background-color: rgba(221, 223, 228, 0.1);\"><div><br></div>The attacker must have physical USB access to the device in order to exploit this vulnerability.</span></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:36:00.867Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4818", "state": "PUBLISHED", "dateUpdated": "2025-06-17T13:36:53.048Z", "dateReserved": "2023-09-07T13:18:09.776Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-01-15T13:28:53.084Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:7.1.2_aquarius_11.1.50_20230614:*:*:*:*:*:*:*", "matchCriteriaId": "034C08E1-1DEB-43D2-A38A-736E1FEDE45C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*", "matchCriteriaId": "D351F870-D43F-48B4-B2AC-0FDDD7B82ED4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.\u00a0\n\n\n\n\nThe attacker must have physical USB access to the device in order to exploit this vulnerability."}, {"lang": "es", "value": "El dispositivo PAX A920 permite degradar el gestor de arranque debido a un error en la verificaci\u00f3n de versi\u00f3n. La firma est\u00e1 correctamente comprobada y s\u00f3lo se puede utilizar el gestor de arranque firmado por PAX. El atacante debe tener acceso USB f\u00edsico al dispositivo para poder aprovechar esta vulnerabilidad."}], "id": "CVE-2023-4818", "lastModified": "2025-06-17T14:15:27.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-15T14:15:25.180", "references": [{"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://ppn.paxengine.com/release/development"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://ppn.paxengine.com/release/development"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "[email protected]", "type": "Primary"}]}