17.4% probability · 95.1th percentile — 2026-05-12
Affected versions
Windows Mobile 6 Professional, Windows Mobile 5.0 Pocket PC/Phone Edition
Summary
This directory traversal vulnerability exists in the OBEX FTP Service of the Microsoft Bluetooth stack for embedded Windows Mobile systems. Remote authenticated attackers can traverse directories, list arbitrary content, and read or create arbitrary files on the affected device. It can be leveraged to achieve full arbitrary code execution by writing malicious files to the system Startup folder.
Remediation
Apply all available official security updates from Microsoft for affected Windows Mobile versions. If the device is no longer supported, restrict Bluetooth pairing to only pre-approved trusted devices to block exploitation attempts. Disable the OBEX FTP service entirely when it is not in use to reduce attack surface.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.