Login Sign Up

CVE-2024-1608

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

The OPPO Usercenter Credit SDK contains a privilege escalation vulnerability due to improper permission checks. This allows attackers to access internal application information without user interaction, affecting all applications using this vulnerable SDK.

💻 Affected Systems

Products:
  • OPPO Usercenter Credit SDK
Versions: Specific versions not publicly disclosed in references
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all applications integrating the vulnerable OPPO Usercenter Credit SDK. Exact version ranges not specified in provided references.

📦 What is this software?

Usercenter Credit Software Development Kit by Oppo

View all CVEs affecting Usercenter Credit Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of application data including sensitive user information, financial data, and internal business logic leading to data breach and potential regulatory violations.

🟠

Likely Case

Unauthorized access to internal application data, user information leakage, and potential for further exploitation within the application ecosystem.

🟢

If Mitigated

Limited information disclosure if proper network segmentation and access controls are implemented, but core vulnerability remains.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Description indicates exploitation requires no user interaction, suggesting low complexity. No public exploit code identified in provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references

Vendor Advisory: https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1759867611954552832

Restart Required: Yes

Instructions:

1. Check OPPO security advisory for patched SDK version. 2. Update all applications using OPPO Usercenter Credit SDK to use patched version. 3. Rebuild and redeploy affected applications. 4. Restart devices or applications as needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected applications from sensitive networks and data stores

Access Control Enhancement

all

Implement additional application-level permission checks

🧯 If You Can't Patch

  • Isolate affected applications in network segments with minimal access
  • Implement monitoring for unusual data access patterns from affected applications

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for OPPO Usercenter Credit SDK integration and version

Check Version:

Check application build configuration or dependency manifest for SDK version

Verify Fix Applied:

Verify SDK version has been updated to patched version specified in OPPO advisory

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to internal application APIs
  • Unusual data access patterns from application components

Network Indicators:

  • Unexpected data exfiltration from affected applications
  • Unauthorized API calls to internal endpoints

SIEM Query:

Search for application logs showing privilege escalation attempts or unauthorized data access from OPPO SDK components

📊 Metadata

CVE ID: CVE-2024-1608
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-280
Published: February 20, 2024
Last Updated: April 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1608, you might also want to check these:

CVE-2025-46066 9.9

A privilege escalation vulnerability in Automai Director v.25.2.0 allows remote attackers to gain el...

Same vulnerability type (CWE-280)
CVE-2024-25108 9.9

This CVE describes an authorization bypass vulnerability in Pixelfed that allows attackers to access...

Same vulnerability type (CWE-280)
CVE-2024-24116 9.8

A privilege escalation vulnerability in Ruijie RG-NBS2009G-P switches allows remote attackers to gai...

Same vulnerability type (CWE-280)