Login Sign Up

CVE-2025-8707

5.3 MEDIUM

📋 TL;DR

This vulnerability in Huuge Box App 1.0.3 on Android allows improper export of application components via AndroidManifest.xml manipulation. Attackers with local access can potentially access sensitive app components, leading to data exposure or privilege escalation. Only Android users with this specific app version are affected.

💻 Affected Systems

Products:
  • Huuge Box App
Versions: 1.0.3
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android devices with Huuge Box App 1.0.3 installed. Requires local access to device.

📦 What is this software?

Huuge Box by Huuugegames

View all CVEs affecting Huuge Box →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains unauthorized access to sensitive app components, potentially leading to data theft, privilege escalation, or app functionality compromise.

🟠

Likely Case

Local user or malicious app exploits exported components to access limited app data or functionality without proper authorization.

🟢

If Mitigated

With proper Android security controls and app sandboxing, impact is limited to the app's own data and permissions.

🌐 Internet-Facing: LOW - Requires local access to device, not directly exploitable over internet.
🏢 Internal Only: MEDIUM - Local access required, but malicious apps or users on same device could exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit details publicly disclosed on GitHub. Requires local access and some technical knowledge to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check app store for updates

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Open Google Play Store 2. Search for Huuge Box App 3. Check for available updates 4. Install latest version 5. Verify app version is newer than 1.0.3

🔧 Temporary Workarounds

Uninstall vulnerable app

Android

Remove the vulnerable app version from affected devices

adb uninstall com.huuge.game.zjbox
Settings > Apps > Huuge Box > Uninstall

Restrict app permissions

Android

Limit app permissions to minimum required functionality

Settings > Apps > Huuge Box > Permissions > Disable unnecessary permissions

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement mobile device management (MDM) controls to restrict app installations

🔍 How to Verify

Check if Vulnerable:

Check app version in Settings > Apps > Huuge Box > App info. If version is 1.0.3, device is vulnerable.

Check Version:

adb shell dumpsys package com.huuge.game.zjbox | grep versionName

Verify Fix Applied:

Verify app version is newer than 1.0.3 after update. Check AndroidManifest.xml for proper component export settings if technical verification needed.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to com.huuge.game.zjbox components
  • Android system logs showing component export violations

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for local Android app vulnerability

📊 Metadata

CVE ID: CVE-2025-8707
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-926
EPSS Score: 0.02% exploit probability (4.6th percentile)
Published: August 8, 2025
Last Updated: September 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8707, you might also want to check these:

CVE-2025-15464 7.5

This vulnerability allows external applications to bypass security controls and directly launch Gmai...

Same vulnerability type (CWE-926)
CVE-2023-41960 7.1

This vulnerability allows unprivileged third-party Android apps to interact with an improperly secur...

Same vulnerability type (CWE-926)
CVE-2023-20962 5.5

This vulnerability in Android 13 allows malicious apps to start foreground activities from the backg...

Same vulnerability type (CWE-926)