CVE-2017-5554 in OP3
Summary
by MITRE
An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4.0.2. The attacker can reboot the device into the fastboot mode, which could be done without any authentication. A physical attacker can press the "Volume Up" button during device boot, where an attacker with ADB access can issue the adb reboot bootloader command. Then, the attacker can put the platform's SELinux in permissive mode, which severely weakens it, by issuing: fastboot oem selinux permissive.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability identified as CVE-2017-5554 represents a critical security flaw in the ABOOT bootloader component of OnePlus 3 and 3T devices running OxygenOS versions prior to 4.0.2. This issue fundamentally undermines the device's security architecture by creating an unauthorized access vector that bypasses normal authentication mechanisms. The vulnerability operates at the lowest level of the device's boot process, specifically targeting the Android bootloader's security controls that are designed to prevent unauthorized system modifications. The flaw exists in the physical attack surface of the device, where an attacker with minimal physical access can exploit a well-known boot sequence manipulation technique. This represents a classic example of a hardware-level security weakness that affects the device's integrity protection mechanisms and compromises the entire security chain.
The technical implementation of this vulnerability exploits the device's boot process by leveraging the standard fastboot protocol functionality that is typically intended for legitimate device recovery and development purposes. When an attacker presses the volume up button during boot, they can trigger the device to enter fastboot mode without requiring any authentication credentials. This physical button press mechanism, combined with the ability to issue adb reboot bootloader commands, creates a direct pathway to the device's bootloader interface. The vulnerability becomes particularly dangerous when the attacker can then execute fastboot oem selinux permissive commands, which effectively disables the Security-Enhanced Linux framework that provides mandatory access controls and policy enforcement for the Android system. This command transforms the device's security model from enforcing strict security policies to operating in a permissive mode where security restrictions are essentially disabled.
The operational impact of CVE-2017-5554 extends far beyond simple device rebooting capabilities, as it fundamentally compromises the device's security posture and creates persistent attack vectors for malicious actors. Once an attacker successfully executes the exploit chain, they gain the ability to modify system components, install unauthorized software, and potentially extract sensitive data from the device without detection. The permissive SELinux mode creates a security environment where standard Android security controls are rendered ineffective, allowing for arbitrary file system modifications and privilege escalation. This vulnerability aligns with attack patterns described in the MITRE ATT&CK framework under the T1059 (Command and Scripting Interpreter) and T1068 (Exploitation for Privilege Escalation) techniques, as it enables attackers to execute commands with elevated privileges through legitimate bootloader interfaces. The vulnerability also maps to CWE-284 (Improper Access Control) and CWE-310 (Cryptographic Issues) categories, reflecting the weak access control mechanisms and the exposure of sensitive security functions.
Mitigation strategies for this vulnerability require both immediate device-level fixes and long-term architectural improvements to prevent similar issues in future implementations. The primary solution involves updating the device's firmware to OxygenOS version 4.0.2 or later, which patches the bootloader behavior and removes the unauthorized access path to fastboot mode. Device manufacturers should implement enhanced bootloader security measures that prevent unauthorized access through physical button combinations and ensure that only authenticated users can execute fastboot commands. Additionally, security researchers and device manufacturers should consider implementing hardware-level protections that prevent unauthorized access to the bootloader interface, such as secure boot mechanisms that verify the integrity of the boot process and prevent the execution of unsigned code. The vulnerability highlights the importance of applying the principle of least privilege even at the bootloader level, where all access controls should be strictly enforced regardless of the user's physical proximity to the device. Organizations should also implement comprehensive device management policies that monitor for unauthorized bootloader access and establish protocols for immediate response to potential exploitation attempts.