CVE-2025-9671 in Paytend Appinfo

Summary

by MITRE • 08/29/2025

A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/30/2025

The vulnerability identified in UAB Paytend App version 2.1.9 presents a critical security flaw within the Android application's component exposure configuration. This weakness specifically targets the AndroidManifest.xml file of the com.passport.cash component, which serves as the primary configuration file governing application components and their accessibility. The improper export of Android application components creates a pathway for malicious actors to exploit the application's surface area without requiring external network access. The vulnerability's classification as a local attack vector indicates that exploitation requires physical access to the device or the ability to manipulate the application environment directly, making it particularly concerning for users who may unknowingly expose their devices to compromise.

The technical flaw manifests through insufficient component protection mechanisms within the Android application's manifest configuration, allowing unauthorized access to internal application components that should remain private or restricted. This misconfiguration enables attackers to directly interact with exported components, potentially bypassing intended security boundaries and accessing sensitive functionality. The vulnerability aligns with CWE-922, which addresses the improper export of Android application components, and represents a direct violation of the principle of least privilege in mobile application security. The attack surface expansion occurs when components that should be internal or protected are marked as exported, making them accessible to other applications or system components without proper authentication or authorization checks.

The operational impact of this vulnerability extends beyond simple data exposure, as it can enable various malicious activities including but not limited to privilege escalation, data exfiltration, and potential system compromise. Attackers could leverage the improperly exported components to manipulate application state, access protected data stores, or even inject malicious code into the application runtime environment. The fact that this vulnerability has been publicly exploited and the vendor's lack of response indicates a significant security gap in the application's lifecycle management and vulnerability remediation processes. This scenario represents a typical case where the ATT&CK framework's T1068 (Exploitation for Privilege Escalation) and T1566 (Phishing for Information) techniques could be effectively applied, particularly given the local execution requirement that makes it difficult to detect through network monitoring alone.

The remediation approach must address the core manifest configuration issues by ensuring that all components within the com.passport.cash package are properly secured and only exported when absolutely necessary for legitimate application functionality. Security hardening should include implementing proper component access controls, removing unnecessary export declarations, and conducting comprehensive security reviews of all AndroidManifest.xml configurations. Organizations should implement mobile application security testing procedures that specifically target component exposure vulnerabilities and establish vendor communication protocols to ensure timely vulnerability disclosure and remediation processes. The lack of vendor response underscores the importance of proactive security measures and the necessity for users to remain vigilant about application security updates, particularly for financial applications that handle sensitive user data and transactions.

Responsible

VulDB

Disclosure

08/29/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00122

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!