The attack that shouldn't be possible — but is

Picture a $283 soundbar sitting on a desk, plugged into a PC via USB, playing music. To every security tool watching that machine, the speaker is a trusted, known device — essentially invisible. To an attacker sitting in the parking lot outside, it's an open door.

That is the reality of a vulnerability discovered in Creative Technologies' Sound Blaster Katana V2X. Researcher Rasmus Moorats found the flaw after purchasing the soundbar himself. What he uncovered is an attack chain that requires zero user interaction: a malicious Bluetooth signal reaches the speaker, the speaker's firmware processes it, and because the device holds an established USB trust relationship with the connected PC, arbitrary code executes on that machine. The attacker never touches the computer. The user never clicks anything. Nothing looks wrong.

Modern operating systems are built to make remote code execution hard. Windows, macOS, and Linux all enforce layers of privilege separation, code-signing requirements, and network-facing attack surface reduction specifically to stop this kind of outcome. Those defenses work — against attacks that come through the front door. The Katana V2X vulnerability doesn't break those protections. It walks around them entirely, using the peripheral firmware as a silent proxy and the USB connection as a pre-approved execution channel.