NVD Published Date: 08/29/2025
NVD Last Modified: 08/29/2025
Preface: If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.
Background: In the AndroidManifest.xml, components can declare the android:exported attribute. If this attribute is set to true (or implicitly true in older Android versions or without explicit declaration for components with intent filters), it allows other applications to launch or interact with that component. If this is not properly restricted, it can become a vulnerability.
Vulnerability details: See below –
CVE-2025-9671 (CVSS 5.3) UAB Paytend App (≤ 2.1.9)
– Improper export of components via AndroidManifest.xml.
– Exploitable locally
– CWE-926
CVE-2025-9672 (CVSS 5.3)Rejseplanen App (≤ 8.2.2)
-Local attack exploiting exported components.
-CWE-926
CVE-2025-9673 (CVSS 5.3) Kakao Hey Kakao App (≤ 2.17.4)
– Local manipulation of manifest leads to exposed components.
-CWE-926
CVE-2025-9674 (CVSS 5.3) Transbyte Scooper News App (≤ 1.2)
-Manifest misconfiguration allows component export.
-CWE-926
CVE-2025-9675 (CVSS 5.3) Voice Changer App (≤ 1.1.0)
-Local exploit due to improperly exported components.
-CWE-926
Official announcement: Please see the link for details
https://nvd.nist.gov/vuln/detail/CVE-2025-9671
https://nvd.nist.gov/vuln/detail/CVE-2025-9672
https://nvd.nist.gov/vuln/detail/CVE-2025-9673