Skip to main content
TechnologyJun 4, 2026· 3 min read

Creative Sound Blaster Katana V2X, Two Bluetooth Flaws Turn It Into a "Bug"

Creative Sound Blaster Katana V2X, a widely used PC soundbar in the gaming segment, can be transformed into a spying device and a keyboard injector by an attacker from about fifteen meters away, without Bluetooth pairing and without any physical contact. An analysis published by an independent researcher documents this, having decompiled the device's firmware and chained two vulnerabilities to execute commands on the PC to which the soundbar is connected via USB.

The mechanism revolves around CTP, the proprietary protocol with which Creative's app communicates with the soundbar. Over USB, the protocol requires a challenge-response authentication before accepting commands; however, the same handler is also connected to the Bluetooth Low Energy interface, where that control disappears. Anyone can connect via BLE to a Katana V2X within range and start sending commands, reading information, and changing settings without first pairing with the device.

The problem becomes serious because firmware updates also go through CTP, and the firmware is not protected by digital signature. The only check is a SHA-256 checksum at the end of the packet, trivial to recalculate: the device accepts any modified image as long as the checksum matches. By combining these two aspects, the researcher uploaded a custom firmware to a non-paired soundbar via Bluetooth in about ten minutes without any authentication.

Microphone and Keyboard

The soundbar integrates a microphone: hostile firmware can turn it into a bug that listens to the environment and forwards audio. More insidiously, the second scenario arises: since for the PC the Katana V2X is a trusted USB device and already presents itself as a HID device for volume and playback controls, the researcher extended the descriptor to have it recognized also as a keyboard, effectively obtaining a remote Rubber Ducky. In other words, the modified firmware can type commands at startup, in the proof of concept a harmless echo pwned, while in a real attack it could open PowerShell to paste a malicious line.

The setup is minimal: 83 bytes for the USB descriptor and 102 bytes of ARM/Thumb assembly for the key injector. An attacker, the researcher notes, could also disable the update process, making the hostile firmware permanent and non-removable. The situation is compounded by the fact that the soundbar’s Bluetooth remains active even in standby, with no apparent way to turn it off.

Creative Does Not Acknowledge the Issue

The technique is not conceptually new: reprogramming the firmware of a USB device to act as a keyboard is the same idea behind BadUSB, a class of attacks publicized in 2014 by SR Labs. The novelty lies in the vector because there is no need to physically replace or tamper with the device: an open Bluetooth range is enough.

The most discouraging part concerns the handling of reports. Creative does not have dedicated security contacts; after two unsuccessful attempts via the support module, the researcher turned to SingCERT as an intermediary. The manufacturer took almost two months to respond, only to dismiss the matter: in its view, it does not constitute a vulnerability because "it does not present a cybersecurity risk." No patch is planned, and the latest available firmware remains exposed.

In the absence of an official fix, the only remedy is an independent tool released by the same researcher, which downloads the official firmware, modifies it to block CTP over Bluetooth, and rewrites it to the device via USB. The trade-off is the probable breakage of the Creative mobile app, but for now, it remains the only way to close the attack vector.