CVE-2025-9135 – This vulnerability allows improper export of An... (How to Fix)

Q: What is the severity of CVE-2025-9135?

CVE-2025-9135 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows improper export of Android application components in multiple Austrian public transport apps, enabling local attackers to potentially intercept or manipulate app data. It affects users of Verkehrsauskunft Österreich SmartRide, cleVVVer, BusBahnBim, and Salzburg Verkehr apps on Android devices. The vulnerability stems from task affinity settings in AndroidManifest.xml that allow app copying.

📋 TL;DR

This vulnerability allows improper export of Android application components in multiple Austrian public transport apps, enabling local attackers to potentially intercept or manipulate app data. It affects users of Verkehrsauskunft Österreich SmartRide, cleVVVer, BusBahnBim, and Salzburg Verkehr apps on Android devices. The vulnerability stems from task affinity settings in AndroidManifest.xml that allow app copying.

💻 Affected Systems

Products:

Verkehrsauskunft Österreich SmartRide
cleVVVer
BusBahnBim
Salzburg Verkehr

Versions: Up to 12.1.1(258)

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Android versions where task affinity can be exploited. Requires local access to device.

📦 What is this software?

Smartride by Verkehrsauskunft

View all CVEs affecting Smartride →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access to the device could copy the app and intercept sensitive user data including travel information, payment details, or authentication tokens.

🟠

Likely Case

Malicious apps on the same device could exploit exported components to access app data or functionality without proper permissions.

🟢

If Mitigated

With proper Android security controls and app sandboxing, impact is limited to data leakage within the compromised app's scope.

🌐 Internet-Facing: LOW - Attack requires local access to device, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local attackers or malicious apps on the same device can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly available on GitHub. Requires local access to device and some technical knowledge of Android app structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.2(259)

Vendor Advisory: Not provided in CVE details

Restart Required: No

Instructions:

1. Open Google Play Store 2. Search for affected app 3. Check if update to 12.1.2(259) is available 4. Install update 5. Verify version in app settings

🔧 Temporary Workarounds

Disable app task affinity via ADB

Android

Manually modify app task affinity settings using Android Debug Bridge

adb shell pm clear [app_package_name]
adb shell am task lock [task_id]

🧯 If You Can't Patch

Uninstall affected apps until patched version is available
Enable Android Verify Apps feature and only install from Google Play Store

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > [App Name] > App Info. If version is 12.1.1(258) or lower, app is vulnerable.

Check Version:

adb shell dumpsys package [app_package_name] | grep versionName

Verify Fix Applied:

Verify app version shows 12.1.2(259) or higher in app settings. Check that task affinity is properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unexpected app cloning attempts
Multiple instances of same app running
Permission violations in app sandbox

Network Indicators:

Unusual app data transmission patterns
Multiple app instances communicating simultaneously

SIEM Query:

app:"de.hafas.android.vvt" AND event_type:"permission_violation" OR "app_clone_attempt"

📊 Metadata

CVE ID: CVE-2025-9135

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-926

EPSS Score: 0.02% exploit probability (3.5th percentile)

Published: August 19, 2025

Last Updated: September 13, 2025

🔗 References

https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md Exploit,Third Party Advisory
https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md#steps-to-reproduce Exploit,Third Party Advisory
https://vuldb.com/?ctiid.320515 Permissions Required,VDB Entry
https://vuldb.com/?id.320515 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.615276 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.615278 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.628235 Third Party Advisory,VDB Entry
https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md Exploit,Third Party Advisory
https://github.com/KMov-g/androidapps/blob/main/de.hafas.android.vvt.md#steps-to-reproduce Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9135, you might also want to check these: