CVE-2026-4272

CVE-2026-4272 is a Missing Authentication for Critical Function vulnerability in Honeywell Handheld Scanners, enabling Authentication Abuse. It affects specific versions of the scanner base stations: C1 Base (Ingenic x1000) prior to GK000432BAA, D1 Base (Ingenic x1600) prior to HE000085BAA, and A1/B1 Base (IMX25) prior to BK000763BAA, BK000765BAA, or CU000101BAA. The issue stems from a lack of authentication mechanisms for critical functions, as documented in the National Vulnerability Database (NVD) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and mapped to CWE-306.

A remote attacker within Bluetooth range of the affected scanner's base station can exploit this vulnerability without authentication. Exploitation requires user interaction, allowing the attacker to remotely execute system commands on the host device connected to the base station. This grants high-impact confidentiality and integrity violations, potentially compromising the connected system.

Honeywell advisories, as referenced in the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-4272), strongly recommend upgrading to the latest firmware versions identified for each affected base station model to mitigate the vulnerability. No additional workaround details are provided in the available references.