Research & Development
$ #


Bootloader downgrade via improper tokenization

7.3 (High)


POS terminal PAX A920

PayDroid 7.1.2_Aquarius_11.1.50_20230614 or lower

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

In PAX A920, during boot, by switching to fastboot mode and flashing a partition named aboot:, it’s possible to downgrade the bootloader to a previously vulnerable, signed version (version check is skipped).
The attacker must have physical USB access to the device in order to exploit this vulnerability.

The vulnerability writeup with a PoC can be found on the blog post:

  • 07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
  • 08-05-2023 - second attempt of contact with vendor (successful)
  • 10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
  • 01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
  • 09-10-2023 - further contact with PAX to fix found vulnerabilities
  • 30-11-2023 - STM Cyber verifies patches
  • 15-01-2024 - public release