Login Sign Up

CVE-2022-44433

7.8 HIGH

📋 TL;DR

CVE-2022-44433 is a missing permission check vulnerability in the phoneEx service on Unisoc chipsets. This allows local attackers to escalate privileges without requiring additional execution privileges. The vulnerability affects Android devices using Unisoc chipsets.

💻 Affected Systems

Products:
  • Android devices with Unisoc chipsets
Versions: Specific Unisoc chipset firmware versions (exact versions not publicly specified in available references)
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in phoneEx service implementation on Unisoc chipsets. Exact device models depend on chipset implementation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with root/system-level access, allowing installation of persistent malware, data theft, and bypassing all security controls.

🟠

Likely Case

Local privilege escalation enabling unauthorized access to sensitive device functions, user data, and ability to install malicious apps with elevated permissions.

🟢

If Mitigated

Limited impact if proper application sandboxing and SELinux policies are enforced, though privilege escalation may still occur within certain contexts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or compromised user accounts could exploit this to gain elevated privileges on affected devices within an organization.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to execute code on the device. No public exploit code available as of current knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unisoc security patch - specific version not publicly detailed

Vendor Advisory: https://www.unisoc.com/en_us/secy/announcementDetail/1654776866982133761

Restart Required: Yes

Instructions:

1. Contact device manufacturer for security updates. 2. Apply Unisoc-provided security patches. 3. Update Android security patches. 4. Reboot device after patching.

🔧 Temporary Workarounds

Disable unnecessary services

android

Restrict phoneEx service permissions if possible through device management

🧯 If You Can't Patch

  • Implement strict application whitelisting to prevent unauthorized app installation
  • Use mobile device management (MDM) solutions to enforce security policies and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check device chipset manufacturer and firmware version. Contact device manufacturer for vulnerability assessment.

Check Version:

adb shell getprop ro.build.version.security_patch (for Android security patch level)

Verify Fix Applied:

Verify installation of latest security patches from device manufacturer and Unisoc security updates.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Abnormal phoneEx service activity

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable - device-level vulnerability requiring endpoint detection

📊 Metadata

CVE ID: CVE-2022-44433
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: May 9, 2023
Last Updated: January 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-44433, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)