CVE-2025-50861
📋 TL;DR
The Lotus Cars Android app version 1.2.8 contains an exported component (PushDeepLinkActivity) that can be accessed without authentication via ADB or malicious apps. This allows attackers to access application internals, potentially causing denial of service or logic abuse. Only users of the affected Android app version are impacted.
💻 Affected Systems
- Lotus Cars Android app
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious app could trigger the component to crash the Lotus Cars app, disrupt vehicle connectivity features, or access sensitive app data through deep link manipulation.
Likely Case
Local malicious apps could cause app crashes or interfere with legitimate functionality through unauthorized component access.
If Mitigated
With proper Android permissions and component protection, the vulnerability would be limited to authorized apps only.
🎯 Exploit Status
Exploitation requires ADB access or malicious app installation on the target device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version >1.2.8
Vendor Advisory: http://lotus.com
Restart Required: No
Instructions:
1. Update the Lotus Cars app through Google Play Store. 2. Verify the app version is greater than 1.2.8. 3. No device restart required.
🔧 Temporary Workarounds
Disable app or restrict ADB
AndroidTemporarily disable the Lotus Cars app or restrict ADB access to prevent exploitation.
adb shell pm disable-user com.lotus.carsdomestic.intl
adb shell settings put global adb_enabled 0
🧯 If You Can't Patch
- Uninstall the Lotus Cars app until patched.
- Enable Android's Verify Apps feature and avoid sideloading unknown apps.
🔍 How to Verify
Check if Vulnerable:
Check if the app version is 1.2.8 via Android Settings > Apps > Lotus Cars > App info.Check Version:
adb shell dumpsys package com.lotus.carsdomestic.intl | grep versionNameVerify Fix Applied:
Confirm app version is greater than 1.2.8 after update.📡 Detection & Monitoring
Log Indicators:
- Unexpected intents to PushDeepLinkActivity in Android logs
- App crashes related to deep link processing
Network Indicators:
- None - local vulnerability only
SIEM Query:
Not applicable for local app vulnerability