Exposed Factory Reset Service in Ulefone and Krüger&Matz Android Devices
CVE-2024-13915

6.9MEDIUM

Key Information:

Vendor: Ulefone
Status: Com.pri.factorytest
Vendor: CVE Published:; 30 May 2025

What is CVE-2024-13915?

Ulefone and Krüger&Matz Android smartphones feature a preloaded application named 'com.pri.factorytest' that exposes a critical service allowing any application on the device to execute a factory reset. This vulnerability arises from improper access controls within the 'com.pri.factorytest.emmc.FactoryResetService'. The affected application version 1.0 does not increment despite the issue being present in OS builds after late 2024 for Ulefone and potentially in March 2025 for Krüger&Matz. This loophole can have severe implications for users, as it allows malicious applications to regain control over the device by resetting it without the user's consent.

Affected Version(s)

com.pri.factorytest 0

References

https://cert.pl/en/posts/2025/05/CVE-2024-13915

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
Mar 4, 2025

Credit

Szymon Chadam