Arbitrary Command Execution in Oppo F5 Leading to Sensitive Data Exposure
CVE-2018-14996

7.8HIGH

Key Information:

Vendor

Oppo

Status
F5 Firmware
Vendor
CVE Published:
25 April 2019

What is CVE-2018-14996?

A pre-installed application on the Oppo F5 Android device exposes a serious vulnerability that enables apps with zero permissions to execute arbitrary commands as the system user. This security loophole allows potential attackers to access sensitive user data, including the ability to record the user’s screen and audio surreptitiously, reset the device, and intercept personal messages. The issue arises from the exported service of the vulnerable app, which cannot be disabled by users, presenting a significant threat to user privacy and device integrity.

References

https://www.kryptowire.com/portal/wp-content/uploads/2018...
x_refsource_MISC
https://www.kryptowire.com/portal/android-firmware-defcon...
x_refsource_MISC
https://www.kryptowire.com
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.