Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers.
The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption.
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
High-riskĀ TrustAllCertsĀ routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.
There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR.Ā An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process i...
Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files.
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation.
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted.
Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.
The debugging routineĀ SCREEN_CLICK(5053)Ā enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface.
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet.
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.
TheĀ ai_cmdĀ utility executes with full root permissions. It pipes socket inputs directly toĀ popen(), paving the way for unauthenticated users to execute arbitrary root commands.
The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse.