Arbitrary Command Execution Vulnerability in Tecno Android Device
CVE-2019-15344

8.1HIGH

Key Information:

Vendor: Tecno-mobile
Status: Camon Iclick Firmware
Vendor: CVE Published:; 14 November 2019

Summary

The Tecno Camon iClick Android device features a pre-installed app that exposes an exported service, allowing any app on the device to execute arbitrary commands as the system user. This vulnerability enables unauthorized access to sensitive device functions—potential attacks include screen recording, factory resets, and extracting user notifications or text messages. Additionally, due to the app's inability to be disabled and the risk of Man-in-the-Middle attacks, attackers can inject malicious commands into network responses, compounding the security risks posed to users.

References

https://www.kryptowire.com/android-firmware-2019/

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2019
Vulnerability Reserved
Aug 22, 2019