CVE-2025-47147 in Command Centre Mobile Client
Summary
by MITRE • 03/03/2026
Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator's mobile device to extract the session token and exploit access for a limited duration.
This issue affects Command Centre Mobile Client versions prior to 9.40.123.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/04/2026
The vulnerability described in CVE-2025-47147 represents a critical cleartext storage weakness that fundamentally undermines the security posture of the Command Centre Mobile Client across both mobile operating systems. This flaw falls squarely under CWE-312, which specifically addresses the insecure storage of sensitive information in cleartext format, making it an attractive target for attackers who gain physical access to compromised devices. The vulnerability manifests when the mobile client stores session tokens in an unencrypted format within the device's memory or storage, creating an exploitable condition that directly violates established security best practices for mobile application development.
The technical implementation of this vulnerability stems from the mobile client's failure to employ proper encryption mechanisms for sensitive session tokens during their storage phase. When an operator logs into the Command Centre system, the authentication token that grants access to the system's resources is stored in cleartext format within the application's memory space or local storage components. This approach creates a direct attack vector where any malicious actor with physical access to the device can leverage standard forensic tools or memory inspection techniques to extract these tokens without requiring additional authentication or complex exploitation methods. The vulnerability is particularly concerning because it does not require network-based attacks or sophisticated social engineering, making it accessible to threat actors with relatively basic technical capabilities.
The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with temporary but potentially valuable access to enterprise systems that are typically protected by multi-factor authentication or other security controls. Once extracted, these session tokens can be used to impersonate legitimate operators and perform actions within the Command Centre environment for the duration of the token's validity period. This compromise affects not only the confidentiality of the system but also its integrity and availability, as attackers could potentially modify configurations, access restricted data, or execute commands that would normally require proper authorization. The limited duration of access does not mitigate the risk, as attackers can maintain persistent access through multiple token reuse or by extending their session through legitimate application usage patterns.
The security implications of this vulnerability align with ATT&CK technique T1552.001, which covers the exploitation of credentials stored in cleartext, and demonstrates how mobile application security flaws can create persistent access points for adversaries. Organizations utilizing the Command Centre Mobile Client should immediately implement mitigations including mandatory encryption of all session tokens, implementation of secure key management practices, and regular security assessments of mobile applications. The recommended solution involves updating to version 9.40.123 or later, which addresses this vulnerability through proper encryption implementation of session tokens. Additionally, organizations should consider implementing mobile device management solutions that can enforce encryption policies and monitor for unauthorized access attempts. The vulnerability also highlights the importance of following secure coding practices as outlined in OWASP Mobile Top 10 and NIST Mobile Security Guidelines, emphasizing that sensitive data should never be stored in cleartext format on mobile devices regardless of the operating system or platform being used.