Login Sign Up

CVE-2023-41960

7.1 HIGH

📋 TL;DR

This vulnerability allows unprivileged third-party Android apps to interact with an improperly secured content provider in the Bosch Android Agent application. This could enable malicious apps to modify sensitive settings in the Bosch Android Client application. Affected users are those running vulnerable versions of Bosch's Android applications.

💻 Affected Systems

Products:
  • Bosch Android Agent application
  • Bosch Android Client application
Versions: Specific versions not publicly detailed in advisory
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the interaction between Bosch's Android applications. Requires both vulnerable Agent and Client applications to be installed.

📦 What is this software?

Ctrlx Hmi Web Panel Wr2107 Firmware by Boschrexroth

View all CVEs affecting Ctrlx Hmi Web Panel Wr2107 Firmware →

Ctrlx Hmi Web Panel Wr2110 Firmware by Boschrexroth

View all CVEs affecting Ctrlx Hmi Web Panel Wr2110 Firmware →

Ctrlx Hmi Web Panel Wr2115 Firmware by Boschrexroth

View all CVEs affecting Ctrlx Hmi Web Panel Wr2115 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app could modify critical client application settings, potentially disrupting functionality or enabling further attacks on the Android device.

🟠

Likely Case

Malicious app could alter application preferences or settings, causing unexpected behavior in the Bosch client application.

🟢

If Mitigated

With proper Android permissions and content provider security, only authorized apps can access the content provider, preventing unauthorized modifications.

🌐 Internet-Facing: LOW - This requires local app installation and execution on the Android device.
🏢 Internal Only: MEDIUM - Requires malicious app installation on the device, which could occur through social engineering or compromised app stores.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires creating a malicious Android app that targets the exposed content provider. No authentication bypass needed beyond standard Android app installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in public advisory

Vendor Advisory: https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html

Restart Required: Yes

Instructions:

1. Update Bosch Android Agent application through Google Play Store or official Bosch channels. 2. Update Bosch Android Client application. 3. Restart Android device after updates.

🔧 Temporary Workarounds

Disable or remove vulnerable applications

android

Remove or disable Bosch Android Agent and Client applications if not required

Settings > Apps > [Bosch App] > Uninstall/Disable

Restrict app installations

android

Configure Android to only allow app installations from trusted sources like Google Play Store

Settings > Security > Unknown sources (disable)

🧯 If You Can't Patch

  • Implement mobile device management (MDM) to control app installations and permissions
  • Educate users about risks of installing apps from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check installed version of Bosch Android Agent and Client applications against patched versions in vendor advisory

Check Version:

Settings > Apps > [Bosch App] > App info

Verify Fix Applied:

Verify both applications have been updated to latest versions and test content provider access from third-party apps

📡 Detection & Monitoring

Log Indicators:

  • Unusual content provider access attempts in Android logs
  • Permission denial logs for content provider access

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for local Android app vulnerability

📊 Metadata

CVE ID: CVE-2023-41960
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-926
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41960, you might also want to check these:

CVE-2025-15464 7.5

This vulnerability allows external applications to bypass security controls and directly launch Gmai...

Same vulnerability type (CWE-926)
CVE-2023-20962 5.5

This vulnerability in Android 13 allows malicious apps to start foreground activities from the backg...

Same vulnerability type (CWE-926)
CVE-2025-8523 5.3

This vulnerability in RiderLike Fruit Crush-Brain App 1.0 for Android allows improper export of appl...

Same vulnerability type (CWE-926)