CVE-2025-14698 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-14698?

CVE-2025-14698 has a CVSS score of 4.4 (MEDIUM). This CVE describes a path traversal vulnerability in the atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. It allows local attackers to access files outside the intended directory structure. Only users of this specific Android app version are affected.

📋 TL;DR

This CVE describes a path traversal vulnerability in the atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. It allows local attackers to access files outside the intended directory structure. Only users of this specific Android app version are affected.

💻 Affected Systems

Products:

atlaszz AI Photo Team Galleryit App

Versions: 1.3.8.2

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects this specific version of the Android app. The vulnerability is in the gallery.photogallery.pictures.vault.album component.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could read sensitive files from the device's storage, potentially accessing photos, documents, or other private data stored by the app or system.

🟠

Likely Case

Limited file access within the app's sandbox or adjacent directories, potentially exposing user photos or app data.

🟢

If Mitigated

No impact if the app is not installed or proper Android sandboxing prevents escalation.

🌐 Internet-Facing: LOW - The attack requires local access to the device.

🏢 Internal Only: MEDIUM - Local attackers (including malicious apps) could exploit this, but requires the vulnerable app to be installed.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available. Attack requires local access to the device (could be through another malicious app).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Uninstall the app until a fixed version is released by the vendor.

🔧 Temporary Workarounds

Uninstall vulnerable app

android

Remove the atlaszz AI Photo Team Galleryit App 1.3.8.2 from Android devices

Settings > Apps > atlaszz AI Photo Team Galleryit > Uninstall

🧯 If You Can't Patch

Restrict app permissions to minimal required access
Isolate device from sensitive networks and monitor for unusual file access patterns

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > atlaszz AI Photo Team Galleryit > App info

Check Version:

Not applicable - check through Android UI

Verify Fix Applied:

Verify app is uninstalled or updated to a version later than 1.3.8.2

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from the app, path traversal attempts in app logs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Not applicable for local app vulnerability

📊 Metadata

CVE ID: CVE-2025-14698

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-22

EPSS Score: 0.03% exploit probability (7.7th percentile)

Published: December 15, 2025

Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14698, you might also want to check these: