Published: June 05, 2026, 23:52 UTC
A Creative Sound Blaster Katana V2X speaker sells for around $280 and has thousands of glowing reviews on Amazon. It also ships with a Bluetooth vulnerability that lets anyone within approximately 15 meters (about 50 feet) take over any computer plugged into it. The manufacturer says it is not a security risk and has no plans to fix it.
The researcher who discovered the flaw, Rasmus Moorats, stumbled on it by accident. He bought a Katana V2X and wanted to write a Linux tool to control it. What he found instead was a three-part attack chain that requires no pairing, no user interaction, and no physical access to the target machine.
Three flaws, one chain
The attack – which Moorats named “Pwnd Blaster” – exploits three separate design failures stacked on top of each other.
The first is authentication. The speaker’s communication protocol, CTP (Creative Transport Protocol), uses AES-256-GCM challenge-response over USB. But over Bluetooth Low Energy (BLE), it sends and accepts all commands without any authentication at all. No PIN, no pairing handshake, no encryption. Any Bluetooth radio within range can send commands to the speaker’s BLE port.
The second is firmware signing. The Katana V2X checks firmware updates against a simple SHA-256 checksum that is trivial to recompute. There is no cryptographic signature verification. An attacker can modify the firmware, recompute the checksum, and the speaker accepts it as legitimate.
The third is the USB HID descriptor. The speaker already acts as a USB Human Interface Device for volume and multimedia control. By modifying just a few bytes in the firmware’s HID report descriptor, an attacker can add keyboard functionality. After the custom firmware is flashed, the speaker injects keystrokes into the host machine on every boot.
The complete attack chain: an attacker within BLE range sends unauthenticated CTP commands to flash malicious firmware. The speaker reboots. On reconnection, it injects keystrokes – opening PowerShell, dropping a payload, or installing a backdoor. No pairing. No warning. No user interaction.
The attack works against any PC, Mac, or Linux machine connected to the speaker via USB. The Bluetooth radio cannot be turned off. It stays active even when the speaker is in sleep mode.
No patch coming
Moorats reported the vulnerability to SingCERT (Singapore’s national CERT) on April 9, 2026. SingCERT relayed the report to Creative Technologies. The company’s formal response: “We do not consider this to be a vulnerability, as it does not present a cybersecurity risk.”
No CVE was assigned because Creative refused to acknowledge the issue. All firmware versions – including the latest, 1.3.230619.1820 – are affected. No official patch will be released.
Moorats created a mitigation firmware that disables CTP-over-Bluetooth at the cost of breaking Creative’s mobile app. His tool, v2x-ctl, lets users flash the hardened firmware themselves. For most users, the only reliable fix is physically disconnecting the USB cable when the speaker is not in use.
The bigger picture
The Katana V2X case is a textbook example of what security researchers call “weird machine” attacks – exploiting legitimate features (a USB speaker with a mobile app) in ways the designers never anticipated. The three flaws individually might not be critical, but in combination they create a full remote code execution path.
Creative’s refusal to patch is separate from the technical question of whether the vulnerability exists. BLE has a range of about 15 meters. That covers a co-working space, a hotel room adjacent to the next room over, a cafe table a few meters away, or the apartment next door in a dense building. The attack does not require the speaker to be paired to the attacker’s device. It finds the speaker, sends commands, and the speaker obeys.
For owners of the Katana V2X, the practical takeaway is straightforward: unplug the USB cable when you are not actively using the speaker. That is the only effective defense available, and it will remain the only one indefinitely.
Sources: Ars Technica (June 6, 2026); Rasmus Moorats / nns.ee (June 3, 2026); Notebookcheck (June 2026); TechRadar (June 2026)