CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the _default_.xml file.
AnalysisAI
Privilege escalation vulnerability in Ego Studio SuperClean Android app versions 1.1.5 and 1.1.9, where attackers can gain elevated privileges by manipulating the update_info field in the _default_.xml file. A public proof-of-concept exploit is available on GitHub, though the EPSS score indicates low real-world exploitation probability at 0.04%.
Technical ContextAI
This vulnerability affects the Ego Studio SuperClean phone cleaner application for Android (CPE: cpe:2.3:a:egostudiogroup:super_clean:1.1.5:*:*:*:*:android:*:* and cpe:2.3:a:egostudiogroup:super_clean:1.1.9:*:*:*:*:android:*:*). The root cause is CWE-269 (Improper Privilege Management), where the application fails to properly control privileges when processing the update_info field in the _default_.xml configuration file. This allows unauthorized privilege elevation through XML manipulation.
RemediationAI
No official patch or updated version information is available from the vendor. Users should consider uninstalling affected versions (1.1.5 and 1.1.9) of SuperClean until a patched version is released. As a workaround, users should avoid granting unnecessary permissions to the app and be cautious about any update prompts. Monitor the vendor website (www.egostudiogroup.com) for security updates.
Share
External POC / Exploit Code
Leaving vuln.today