Login Sign Up

CVE-2025-8257

5.3 MEDIUM

📋 TL;DR

This vulnerability in Lobby Universe Lobby App for Android allows improper export of application components via AndroidManifest.xml. Attackers with local access can exploit this to access sensitive app functionality. Only Android users of this specific app up to version 2.8.0 are affected.

💻 Affected Systems

Products:
  • Lobby Universe Lobby App
Versions: up to 2.8.0
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android version of the app. Requires app to be installed and active on device.

📦 What is this software?

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

Lobby by Lobbyuniverse

View all CVEs affecting Lobby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains unauthorized access to sensitive app components, potentially accessing user data or performing unauthorized actions within the app.

🟠

Likely Case

Malicious app on same device exploits exported components to interact with Lobby App in unintended ways, potentially accessing limited app data.

🟢

If Mitigated

With proper Android security controls and app sandboxing, impact is limited to the specific app's data and functionality.

🌐 Internet-Facing: LOW - Attack requires local access to device, not remotely exploitable.
🏢 Internal Only: MEDIUM - Requires malicious app installation or physical access to device, but could affect app data integrity.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access to device and knowledge of vulnerable component. Public disclosure suggests exploit code may be available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

1. Check Google Play Store for app updates
2. If update available beyond 2.8.0, install immediately
3. Monitor vendor communications for security patches

🔧 Temporary Workarounds

Uninstall vulnerable app

android

Remove Lobby Universe Lobby App from Android devices until patched version is available

Settings > Apps > Lobby Universe Lobby App > Uninstall

Restrict app permissions

android

Limit app permissions to minimum required functionality

Settings > Apps > Lobby Universe Lobby App > Permissions > Disable unnecessary permissions

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement mobile device management (MDM) controls to restrict app installations

🔍 How to Verify

Check if Vulnerable:

Check app version in Settings > Apps > Lobby Universe Lobby App. If version is 2.8.0 or lower, app is vulnerable.

Check Version:

adb shell dumpsys package com.maverick.lobby | grep versionName

Verify Fix Applied:

Update app via Google Play Store and verify version is higher than 2.8.0

📡 Detection & Monitoring

Log Indicators:

  • Unusual app component access attempts in Android logs
  • Security exceptions related to exported components

Network Indicators:

  • None - local vulnerability only

SIEM Query:

app:"Lobby Universe Lobby App" AND version:"<=2.8.0"

📊 Metadata

CVE ID: CVE-2025-8257
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-926
EPSS Score: 0.02% exploit probability (3.8th percentile)
Published: July 28, 2025
Last Updated: July 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8257, you might also want to check these:

CVE-2025-15464 7.5

This vulnerability allows external applications to bypass security controls and directly launch Gmai...

Same vulnerability type (CWE-926)
CVE-2023-41960 7.1

This vulnerability allows unprivileged third-party Android apps to interact with an improperly secur...

Same vulnerability type (CWE-926)
CVE-2023-20962 5.5

This vulnerability in Android 13 allows malicious apps to start foreground activities from the backg...

Same vulnerability type (CWE-926)