Creative Sound Blaster Katana V2X Remote Exploit Published, No Patch Coming

A remote exploit for the Creative Sound Blaster Katana V2X soundbar was published on June 3, 2026. The attack chains two flaws to take over a PC. No patch is coming.

Creative Sound Blaster Katana V2X
Creative Sound Blaster Katana V2X

A remote exploit for Creative's Sound Blaster Katana V2X soundbar was published on June 3, 2026. The attack chains two security flaws to take over a connected PC. No patch is coming from Creative.

Exploit chains two security flaws

The Sound Blaster Katana V2X is a $300 PC speaker system. It connects over Bluetooth Low Energy and USB. The exploit targets its BLE command interface and firmware update mechanism.

Researcher Rasmus Moorats demonstrated the attack. The first flaw is an unauthenticated BLE command interface. The second is that firmware updates are not cryptographically signed. An attacker can flash custom firmware from up to 15 meters away without pairing.

Third-party mitigation tool available

The custom firmware can add a keyboard HID descriptor. This lets the attacker inject keystrokes into the host computer. The attack requires no physical access to the speaker.

Creative was notified of the issue. The company responded that it is not a vulnerability. Creative stated no patch will be released.

A third-party mitigation tool called v2x-patcher is available. It may break the official Creative mobile app. Users must decide between security and full functionality.

The Sound Blaster Katana V2X has a confirmed remote exploit with no vendor fix. Users can use third-party tools or disable Bluetooth on the speaker.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion