CVE-2025-46018 – The CSC Pay Mobile App version 2.19.4 contains ... (How to Fix)

Q: What is the severity of CVE-2025-46018?

CVE-2025-46018 has a CVSS score of 5.4 (MEDIUM). The CSC Pay Mobile App version 2.19.4 contains a payment authorization bypass vulnerability where users can disable Bluetooth at a specific point during a transaction to avoid payment. This allows unauthorized use of laundry services without payment, affecting all users of the vulnerable app version.

📋 TL;DR

The CSC Pay Mobile App version 2.19.4 contains a payment authorization bypass vulnerability where users can disable Bluetooth at a specific point during a transaction to avoid payment. This allows unauthorized use of laundry services without payment, affecting all users of the vulnerable app version.

💻 Affected Systems

Products:

CSC Pay Mobile App

Versions: 2.19.4 and earlier

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects mobile app users performing laundry transactions via Bluetooth payment authorization.

📦 What is this software?

Pay Mobile by Cscsw

View all CVEs affecting Pay Mobile →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Widespread abuse leading to significant financial losses for laundry service providers and potential service disruption due to unpaid usage.

🟠

Likely Case

Limited opportunistic exploitation by users discovering the vulnerability, resulting in moderate financial losses for individual laundry facilities.

🟢

If Mitigated

Minimal impact if users update promptly and service providers monitor for suspicious transaction patterns.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires physical access to device and specific timing during Bluetooth payment process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0

Vendor Advisory: https://www.cscsw.com/disclosure-process/

Restart Required: No

Instructions:

1. Open app store on mobile device. 2. Search for 'CSC Pay'. 3. Update to version 2.20.0 or later. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Bluetooth payment temporarily

all

Use alternative payment methods until app is updated

🧯 If You Can't Patch

Monitor transaction logs for payment failures coinciding with Bluetooth disconnections
Implement manual verification for high-value transactions

🔍 How to Verify

Check if Vulnerable:

Check app version in settings: if version is 2.19.4 or earlier, system is vulnerable.

Check Version:

Open CSC Pay app → Settings → About → Check version number

Verify Fix Applied:

Confirm app version shows 2.20.0 or later in app settings.

📡 Detection & Monitoring

Log Indicators:

Payment authorization failures with Bluetooth disconnection events
Transactions completing without successful payment confirmation

Network Indicators:

Bluetooth connection drops during payment authorization phase

SIEM Query:

source="csc_pay_logs" AND (event="payment_failure" AND bluetooth_status="disconnected")

📊 Metadata

CVE ID: CVE-2025-46018

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

CWE: CWE-290

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: August 1, 2025

Last Updated: October 14, 2025

🔗 References

https://github.com/niranjangaire1995/CVE-2025-46018-CSC-Pay-Mobile-App-Payment-Authentication-Bypass Third Party Advisory
https://www.cscsw.com/disclosure-process/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46018, you might also want to check these: