Exposed Factory Reset Service in Ulefone and Krüger&Matz Android Devices
CVE-2024-13915

6.9MEDIUM

Key Information:

Vendor

Ulefone

Status
Com.pri.factorytest
Vendor
CVE Published:
30 May 2025

Badges

📰 News Worthy

What is CVE-2024-13915?

Ulefone and Krüger&Matz Android smartphones feature a preloaded application named 'com.pri.factorytest' that exposes a critical service allowing any application on the device to execute a factory reset. This vulnerability arises from improper access controls within the 'com.pri.factorytest.emmc.FactoryResetService'. The affected application version 1.0 does not increment despite the issue being present in OS builds after late 2024 for Ulefone and potentially in March 2025 for Krüger&Matz. This loophole can have severe implications for users, as it allows malicious applications to regain control over the device by resetting it without the user's consent.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

com.pri.factorytest 0

com.pri.factorytest 0

News Articles

favicon imageThe Hacker News

Preinstalled Apps on Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN

Three Android CVEs expose Ulefone, Krüger&Matz phones to factory resets, PIN leaks, and privilege abuse.

References

https://cert.pl/en/posts/2025/05/CVE-2024-13915
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📰

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Szymon Chadam
JSON
.