CVE-2023-26980 – CVE-2023-26980 is a race condition vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-26980?

CVE-2023-26980 has a CVSS score of 7.0 (HIGH). CVE-2023-26980 is a race condition vulnerability in PAX Technology A920 Pro payment terminals running PayDroid 8.1. It could allow attackers to bypass the secure payment software and force the device to boot directly into standard Android during startup. This affects payment terminal operators and merchants using these specific devices.

📋 TL;DR

CVE-2023-26980 is a race condition vulnerability in PAX Technology A920 Pro payment terminals running PayDroid 8.1. It could allow attackers to bypass the secure payment software and force the device to boot directly into standard Android during startup. This affects payment terminal operators and merchants using these specific devices.

💻 Affected Systems

Products:

PAX Technology A920 Pro

Versions: PayDroid 8.1

Operating Systems: Android-based PayDroid

Default Config Vulnerable: ⚠️ Yes

Notes: Vendor disputes feasibility, claiming home launcher loads before user applications. Requires specific timing during boot process.

📦 What is this software?

Paydroid by Pax

View all CVEs affecting Paydroid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full Android OS access on payment terminals, potentially compromising payment data, installing malware, or disabling payment functionality entirely.

🟠

Likely Case

Temporary disruption of payment processing during boot attacks, requiring device restart to restore normal operation.

🟢

If Mitigated

Minimal impact with proper physical security controls and monitoring, as exploitation requires physical access during boot.

🌐 Internet-Facing: LOW - Exploitation requires physical access to the device during boot process.

🏢 Internal Only: MEDIUM - Physical access to payment terminals in retail environments could be obtained by malicious actors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Race condition requires precise timing during boot. Physical device access needed. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None provided

Restart Required: No

Instructions:

No official patch available. Contact PAX Technology for security updates and guidance.

🔧 Temporary Workarounds

Physical Security Controls

all

Restrict physical access to payment terminals during boot/restart cycles

Boot Monitoring

all

Monitor devices during startup and investigate any abnormal boot behavior

🧯 If You Can't Patch

Implement strict physical security controls around payment terminals
Monitor devices for unexpected reboots or boot anomalies

🔍 How to Verify

Check if Vulnerable:

Check device model and PayDroid version in device settings. If PAX A920 Pro with PayDroid 8.1, assume vulnerable.

Check Version:

Check device settings > About device > Software information

Verify Fix Applied:

Contact PAX Technology for security updates and verify PayDroid version is updated beyond 8.1.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reboots
Boot process anomalies
Payment software failing to load

Network Indicators:

Payment terminal offline during expected hours
Unusual network traffic from terminal

SIEM Query:

Device logs showing multiple boot attempts or payment software startup failures

📊 Metadata

CVE ID: CVE-2023-26980

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: April 14, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.google.com/document/d/189b1494s8RF8ksaOijKhKb-3B8gj3pLUmgn0dqg-jqs/edit Mailing List,Third Party Advisory
https://drive.google.com/drive/u/0/folders/14X-XTYhkiaIVBS3zf68VigG4-imbKEuV Exploit
https://uploads.strikinglycdn.com/files/f1d54bf4-3803-480c-b4d3-0943f7dac76e/A920_EN_20200605.pdf?id=237392 Broken Link
https://docs.google.com/document/d/189b1494s8RF8ksaOijKhKb-3B8gj3pLUmgn0dqg-jqs/edit Mailing List,Third Party Advisory
https://drive.google.com/drive/u/0/folders/14X-XTYhkiaIVBS3zf68VigG4-imbKEuV Exploit
https://uploads.strikinglycdn.com/files/f1d54bf4-3803-480c-b4d3-0943f7dac76e/A920_EN_20200605.pdf?id=237392 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26980, you might also want to check these: