Login Sign Up

CVE-2025-7890

5.3 MEDIUM

📋 TL;DR

This vulnerability in the Dunamu StockPlus Android app allows improper export of application components via AndroidManifest.xml manipulation. Attackers with local access can exploit this to access sensitive app functionality or data. Only Android users of the affected app versions are impacted.

💻 Affected Systems

Products:
  • Dunamu StockPlus App
Versions: Up to 7.62.10
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android version of the app; requires local access to device for exploitation.

📦 What is this software?

Stockplus by Dunamu

View all CVEs affecting Stockplus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains unauthorized access to sensitive app components, potentially accessing financial data or performing unauthorized transactions within the app.

🟠

Likely Case

Local attacker accesses non-critical app components or functionality, potentially compromising user privacy or app integrity.

🟢

If Mitigated

With proper Android security controls and app sandboxing, impact is limited to the specific app's data and functionality.

🌐 Internet-Facing: LOW - Attack requires local access to the device, not remote exploitation.
🏢 Internal Only: MEDIUM - Local attackers (including malicious apps) can exploit this vulnerability on compromised devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access to device; public disclosure includes reproduction steps but no vendor response.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor app updates from Google Play Store and update when available.

🔧 Temporary Workarounds

Uninstall vulnerable app

android

Remove the vulnerable StockPlus app from affected devices

adb uninstall com.dunamu.stockplus

Restrict app permissions

android

Limit app permissions in Android settings to reduce potential impact

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement mobile device management (MDM) controls to monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check app version in Android settings > Apps > StockPlus > App info. If version is 7.62.10 or lower, device is vulnerable.

Check Version:

adb shell dumpsys package com.dunamu.stockplus | grep versionName

Verify Fix Applied:

Verify app version is above 7.62.10 after update from Google Play Store.

📡 Detection & Monitoring

Log Indicators:

  • Unusual app component access attempts in Android logs
  • Suspicious activity from StockPlus app

Network Indicators:

  • Unusual network traffic from StockPlus app to unexpected destinations

SIEM Query:

source="android_logs" AND app="com.dunamu.stockplus" AND (event="component_export" OR event="permission_violation")

📊 Metadata

CVE ID: CVE-2025-7890
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-926
EPSS Score: 0.03% exploit probability (7.7th percentile)
Published: July 20, 2025
Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7890, you might also want to check these:

CVE-2025-15464 7.5

This vulnerability allows external applications to bypass security controls and directly launch Gmai...

Same vulnerability type (CWE-926)
CVE-2023-41960 7.1

This vulnerability allows unprivileged third-party Android apps to interact with an improperly secur...

Same vulnerability type (CWE-926)
CVE-2023-20962 5.5

This vulnerability in Android 13 allows malicious apps to start foreground activities from the backg...

Same vulnerability type (CWE-926)