Login Sign Up

CVE-2023-40117

7.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows an attacker with physical access to bypass the Android device lockscreen without authentication. It affects Android devices running vulnerable versions, enabling local privilege escalation to access device data and settings.

💻 Affected Systems

Products:
  • Android OS
Versions: Android versions prior to October 2023 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with standard Android lockscreen enabled. Devices with additional security measures may have reduced impact.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing unauthorized access to all user data, apps, and settings without any authentication.

🟠

Likely Case

Unauthorized access to device data and settings when an attacker has brief physical access to a locked device.

🟢

If Mitigated

Limited impact if device encryption is enabled and sensitive data is protected by additional security layers.

🌐 Internet-Facing: LOW - This is a local physical access vulnerability requiring attacker to have the device in hand.
🏢 Internal Only: MEDIUM - In organizational settings, this could allow unauthorized access to corporate devices if left unattended.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires physical device access but no user interaction or authentication. The vulnerability is in the SettingsProvider component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 Android Security Patch Level or later

Vendor Advisory: https://source.android.com/security/bulletin/2023-10-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install October 2023 or later security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Enable device encryption

android

Full device encryption provides additional protection for stored data even if lockscreen is bypassed

Settings > Security > Encrypt device

Use strong authentication methods

android

Implement biometric authentication or strong PIN/password to add security layers

Settings > Security > Screen lock

🧯 If You Can't Patch

  • Implement strict physical security controls for devices
  • Enable remote wipe capabilities and device management policies

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows October 2023 or later date

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed unlock attempts followed by successful access without proper authentication
  • Unusual settings changes without user interaction

Network Indicators:

  • None - this is a local physical access vulnerability

SIEM Query:

Search for: 'SettingsProvider' AND 'resetSettingsLocked' in Android system logs

📊 Metadata

CVE ID: CVE-2023-40117
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: October 27, 2023
Last Updated: April 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40117, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)