{"rewrite":{"id":"r_1b90b5ac4a689701bebe2156","clusterId":"c_8974cb8ca1935da9bae5e7c8","slug":"creative-katana-v2x-speaker-vulnerability-lets-attackers-hack-pcs-via-bluetooth","model":"deepseek-v4-flash","headline":"Creative Katana V2X Speaker Vulnerability Lets Attackers Hack PCs Via Bluetooth","summary":"Security researcher Rasmus Moorats discovered that Creative's Katana V2X sound system can be attacked via Bluetooth from up to 15 meters away, allowing malicious firmware to be written to the device. The exploit, called Pwnd Blaster, could turn the speaker into an eavesdropping device or a keyboard input tool. Creative did not patch the vulnerability.","whyItMatters":"The vulnerability turns a trusted USB peripheral into an attack vector, and Creative's refusal to treat it as a security risk leaves users exposed with no fix in sight.","webCardHtml":"\u003cp\u003eSecurity researcher Rasmus Moorats demonstrated that Creative's Katana V2X sound system is vulnerable to a Bluetooth-based attack he calls Pwnd Blaster. An attacker within about 15 meters can write malicious firmware to the device without pairing. Because the speaker connects to a PC via USB, the compromised speaker can act as a keyboard input device or, if it has a microphone, as an eavesdropping tool.\u003c/p\u003e\u003cp\u003eMoorats reverse-engineered Creative's proprietary CTP protocol, which handles firmware updates over both USB and Bluetooth. He found that Bluetooth GATT commands require no authentication, and the firmware update only checks a SHA-256 hash. After creating a proof-of-concept firmware that replaced the boot string, he succeeded in writing it over Bluetooth in about 10 minutes. He also added a keyboard descriptor to the USB device and made the speaker type 'echo pwned' after boot.\u003c/p\u003e\u003cp\u003eMoorats reported the vulnerability to Creative via Singapore's SingCERT. Creative responded that the report did not indicate a cybersecurity risk and has not issued a patch. Moorats released a firmware patch that blocks CTP over Bluetooth, but it breaks Creative's mobile app.\u003c/p\u003e","blueskyPost":"Creative Katana V2X speaker has a Bluetooth vulnerability that lets attackers write malicious firmware from 15 meters away. Creative did not patch it. The speaker becomes a keyboard injection tool.","twitterPost":"Creative Katana V2X speaker can be hijacked via Bluetooth from 15 meters away. No patch exists. Attackers can inject keystrokes.","threadsPost":"Creative Katana V2X speaker has an unpatched Bluetooth vulnerability. Researcher Rasmus Moorats found that attackers from 15 meters away can upload malicious firmware, turning the speaker into an eavesdropping device or a keyboard input tool. Creative did not issue a fix. The exploit is named Pwnd Blaster.","newsletterBlurb":"Security researcher Rasmus Moorats discovered a Bluetooth vulnerability in Creative's Katana V2X sound system that lets attackers write malicious firmware from up to 15 meters away. The compromised speaker can act as a keyboard or eavesdropping device. Creative declined to patch the issue.","attributionJson":"[{\"source\":\"GIGAZINE\",\"url\":\"https://gigazine.net/news/20260604-creative-pwnd-blaster/\",\"title\":\"Exploit 'Pwnd Blaster' Discovered That Attacks PC via Creative Bluetooth Speaker Without Touching It\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":4209,"outputTokens":658,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1780559303,"createdAt":"2026-06-04T07:42:16.000Z","publishedAt":"2026-06-04T07:46:20.000Z","updatedAt":"2026-06-04T07:46:20.000Z"},"cluster":{"id":"c_8974cb8ca1935da9bae5e7c8","canonicalTitle":"CreativeのBluetoothスピーカーを使ってPCに触れることなく攻撃するエクスプロイト「Pwnd Blaster」が発見される","representativeArticleId":"a_1fa043dcb3f7a89c5be9791f","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[],\"studios\":[],\"people\":[\"Rasmus Moorats\"],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-06-04T07:00:00.000Z","lastSeenAt":"2026-06-04T07:00:00.000Z","updatedAt":"2026-06-04T07:46:20.000Z"},"attribution":[{"source":"GIGAZINE","url":"https://gigazine.net/news/20260604-creative-pwnd-blaster/","title":"CreativeのBluetoothスピーカーを使ってPCに触れることなく攻撃するエクスプロイト「Pwnd Blaster」が発見される"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":[],"studios":[],"people":["Rasmus Moorats"],"type":"news","domain":"other","is_roundup":false},"keyFacts":["The exploit, called Pwnd Blaster, can turn the speaker into a keyboard input tool or an eavesdropping device if it has a microphone, because the speaker connects to a PC via USB.","Moorats reverse-engineered Creative's proprietary CTP protocol and found that Bluetooth GATT commands require no authentication, with firmware updates only checking a SHA-256 hash.","Creative did not patch the vulnerability after Moorats reported it via Singapore's SingCERT, stating the report did not indicate a cybersecurity risk.","Moorats released a firmware patch that blocks CTP over Bluetooth, but it breaks Creative's mobile app."]}
