CVE-2025-46018 is a vulnerability identified in the CSC Pay Mobile App version 2.19.4, which was addressed in version 2.20.0. The flaw allows users to bypass payment authorization by disabling Bluetooth at a specific point during a transaction. The CSC Pay Mobile App appears to rely on Bluetooth connectivity as part of its payment authorization process, likely to communicate with payment terminals or devices such as laundry machines. By interrupting Bluetooth communication at a critical moment, an attacker or user can circumvent the normal authorization checks, enabling unauthorized use of services without completing valid payment. This vulnerability specifically impacts the integrity of the payment process, as it allows transactions to be completed without proper authorization, potentially leading to financial losses for service providers. The vulnerability does not require user interaction beyond disabling Bluetooth, which is a simple action, and does not require authentication to exploit if the user has access to the app and the service. No known exploits are currently reported in the wild, and no CVSS score has been assigned. The vulnerability is limited to a specific app version and fixed in a subsequent release, indicating a patch is available but may not yet be widely deployed.

For European organizations, particularly those operating laundromats or similar vending services using the CSC Pay Mobile App, this vulnerability could lead to unauthorized service usage and direct financial losses. The integrity of payment transactions is compromised, potentially undermining trust in mobile payment solutions. Organizations may face increased operational costs due to unpaid usage and may need to invest in additional monitoring or alternative payment verification methods. If exploited at scale, this could also damage brand reputation and customer confidence in mobile payment technologies. While the impact on confidentiality and availability is minimal, the financial and transactional integrity impact is significant. Additionally, organizations may face compliance and audit challenges if payment authorization controls are bypassed.

Organizations should promptly update the CSC Pay Mobile App to version 2.20.0 or later, where the vulnerability is fixed. Until the update is applied, organizations can implement monitoring to detect unusual usage patterns indicative of unauthorized transactions. They should also educate users and staff about the risk of disabling Bluetooth during transactions and consider technical controls to prevent Bluetooth from being disabled during payment processes, such as app-level checks or device management policies. Where possible, integrating additional authentication or transaction verification steps independent of Bluetooth connectivity can reduce risk. Vendors should be engaged to ensure timely patch deployment and to verify that the fix is effective in their operational environment. Regular audits of payment transaction logs can help identify potential exploitation attempts.