CVE-2025-9673 in 헤이카카오 Hey Kakao App
Summary
by MITRE • 08/29/2025
A vulnerability was detected in Kakao 헤이카카오 Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/30/2025
This vulnerability resides within the Kakao 헤이카카오 Hey Kakao Android application version 2.17.4 and earlier, specifically targeting the AndroidManifest.xml file configuration of the com.kakao.i.connect component. The flaw represents an improper export of Android application components, which fundamentally compromises the application's security boundary and exposes internal functionality to unauthorized access. This misconfiguration allows malicious actors to directly interact with exported components without proper authentication or authorization mechanisms, creating a significant attack surface that violates core Android security principles.
The technical implementation of this vulnerability stems from the AndroidManifest.xml file containing exported components that should remain internal to the application. When components are improperly exported, they become accessible to other applications on the device, potentially enabling privilege escalation attacks, data exfiltration, and unauthorized access to sensitive functionality. This issue directly relates to CWE-922, which addresses the improper export of Android application components, and aligns with ATT&CK technique T1068 which covers local privilege escalation through application component manipulation. The vulnerability's local attack requirement means that exploitation does not necessitate network connectivity, making it particularly concerning as it can be leveraged through physical device access or pre-existing malicious applications.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates opportunities for attackers to manipulate application state, access user data, and potentially escalate privileges within the application context. Given that the exploit is publicly available and the vendor has not responded to disclosure attempts, this presents an immediate risk to users of affected versions. The lack of vendor response compounds the security risk, leaving users without official patches or mitigations while the vulnerability remains actively exploitable. This scenario demonstrates a critical failure in the security disclosure and remediation process, potentially exposing thousands of users to unauthorized access to their Kakao application data and functionality.
Mitigation strategies should focus on immediate user actions including updating to the latest application version if available, disabling the affected application until patches are released, and implementing mobile device management policies that restrict application component exposure. Organizations should conduct security assessments of their deployed applications to identify similar misconfigurations in other Android applications. The vulnerability highlights the importance of proper Android manifest configuration reviews and adherence to security best practices such as the principle of least privilege for exported components. Additionally, security researchers and vendors should maintain active communication channels to ensure timely disclosure and remediation of such critical vulnerabilities.