Security researcher 'nns' has disclosed critical vulnerabilities in the Creative Sound BlasterX Katana V2X that allow attackers to remotely hijack connected PCs without physical access or pairing. The vulnerabilities, published on June 3, 2026, enable attackers within 15 meters to inject keystrokes and flash custom firmware through the device's unauthenticated Bluetooth Low Energy interface. Creative has refused to issue a patch, stating they do not consider the flaws a cybersecurity risk.
Unauthenticated Bluetooth Protocol Exposes PC Control
The Katana V2X is a USB-connected PC sound bar that uses Creative Transport Protocol (CTP) for configuration. The device's Bluetooth Low Energy interface exposes its entire command protocol to any nearby device without requiring authentication or pairing. Commands that normally require a handshake over USB go through completely unchallenged over BLE, allowing attackers to send arbitrary commands to the speaker and connected PC.
The researcher chained two unpatched flaws to achieve remote firmware flashing over Bluetooth. Once compromised, the device functions as a wireless BadUSB/Rubber Ducky, capable of injecting keystrokes into the host PC. This effectively transforms the sound bar into a covert spying tool that attackers can control remotely.
Vendor Refuses to Patch Known Security Flaws
Creative's response to the disclosure has drawn criticism from the security community. The company stated they "do not consider this to be a vulnerability, as it does not present a cybersecurity risk" and confirmed no patch is forthcoming. This position contradicts the demonstrated attack capabilities, which include complete PC compromise through keystroke injection.
The researcher previously reverse-engineered the Katana V2X protocol in February 2026, documenting the USB protocol and IR codes in the GitHub repository therion23/KatanaHacking. The current exploit builds on that foundational work.
Broader Implications for USB Peripherals
The vulnerability demonstrates risks inherent in unauthenticated wireless protocols on USB peripherals. The "BadUSB via Bluetooth" attack vector may apply to other consumer devices that combine USB connectivity with BLE interfaces. Security researchers on Hacker News noted this could represent a broader class of vulnerabilities in consumer electronics that lack proper security review processes.
The disclosure highlights a disconnect between security researchers and consumer electronics vendors on threat modeling. While Creative dismisses the attack as not presenting cybersecurity risk, the demonstrated capabilities include remote PC compromise, firmware manipulation, and surveillance—all achievable without physical access.
Key Takeaways
- Creative Sound BlasterX Katana V2X exposes its entire command protocol over unauthenticated Bluetooth Low Energy, allowing attackers within 15 meters to send arbitrary commands without pairing
- Researchers successfully chained vulnerabilities to remotely flash custom firmware and inject keystrokes into connected PCs, turning the speaker into a wireless BadUSB device
- Creative refuses to issue a patch, stating the flaws do not present a cybersecurity risk despite demonstrated remote PC hijacking capabilities
- The vulnerability may represent a broader class of security issues in USB peripherals with wireless interfaces that lack authentication
- Attack requires no physical access or user interaction—only proximity to the device