The point-of-sale (PoS) terminals manufactured by PAX Technology have been found to have several high-severity vulnerabilities that can be exploited by attackers to execute arbitrary code. The STM Cyber R&D team, which reverse engineered the devices, discovered six flaws that allow for privilege escalation and local code execution. One of the vulnerabilities has not been disclosed, but the others include local code execution as root, privilege escalation from any user to system user, privilege escalation from system user to root, and bootloader downgrade. Exploiting these vulnerabilities could allow attackers to gain root access and bypass sandboxing protections, giving them full control over the device and the ability to interfere with payment operations. PAX Technology was notified of the flaws in May 2023 and released patches in November of the same year.
Source link