Login Sign Up

CVE-2023-42747

7.8 HIGH

📋 TL;DR

This CVE describes a missing permission check vulnerability in camera service that allows local privilege escalation. Attackers can exploit this to gain elevated privileges without needing additional execution permissions. This affects devices using the vulnerable camera service implementation.

💻 Affected Systems

Products:
  • Unisoc camera service implementation
Versions: Specific versions not detailed in provided references
Operating Systems: Android-based systems using Unisoc chipsets
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with Unisoc chipsets where camera service has the vulnerability. Exact device models not specified in provided references.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains root/system-level access, potentially installing persistent malware, accessing all user data, and controlling device functions.

🟠

Likely Case

Local attacker gains elevated privileges to access sensitive camera data, other app data, or system resources they shouldn't have access to.

🟢

If Mitigated

Limited impact with proper permission controls and isolation mechanisms preventing privilege escalation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the device.
🏢 Internal Only: HIGH - Any malicious app or user with local access could exploit this to gain elevated privileges on affected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no additional privileges. The missing permission check suggests straightforward exploitation once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049

Restart Required: Yes

Instructions:

1. Check with device manufacturer for security updates. 2. Apply available firmware/OS updates. 3. Reboot device after update installation.

🔧 Temporary Workarounds

Restrict camera permissions

android

Limit camera access to essential apps only to reduce attack surface

Disable unnecessary camera features

android

Turn off camera services or features not in use

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app installation policies and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check device manufacturer security bulletins for affected models and firmware versions

Check Version:

Settings > About Phone > Software Information (Android)

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions and check security patch level

📡 Detection & Monitoring

Log Indicators:

  • Unexpected camera service access attempts
  • Permission escalation attempts in system logs
  • Abnormal privilege changes

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for local privilege escalation without network component

📊 Metadata

CVE ID: CVE-2023-42747
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: December 4, 2023
Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42747, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)