SoliClub
CVE-2025-1029
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.
This issue affects SoliClub: from 5.2.4 before 5.3.7.
AnalysisAI
Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote unauthenticated attackers to read sensitive constants embedded within the executable. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.5 with high confidentiality impact but no integrity or availability effect; no public exploit identified at time of analysis and EPSS is very low at 0.04%.
Technical ContextAI
SoliClub is a mobile loyalty/membership Android application published by Utarit Information Services, as confirmed by the CPE string cpe:2.3:a:utarit:soliclub targeting the android platform. The root cause maps to CWE-798 (Use of Hard-coded Credentials), meaning secrets such as API keys, tokens, or backend credentials are compiled directly into the APK binary. Because Android applications are distributed as easily decompilable packages, any constant embedded in DEX/native code can be extracted with standard reverse-engineering tooling (apktool, jadx, strings), exposing the secret to anyone who downloads the app from the Play Store or an APK mirror.
RemediationAI
Vendor-released patch: SoliClub 5.3.7 - upgrade the Android application to 5.3.7 or later via Google Play, as described in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466. Because the hard-coded secret has been exposed in distributed binaries, the vendor should additionally rotate and revoke any embedded credentials, API keys, or tokens on the backend so previously extracted values cannot be reused even against unpatched clients; consumers cannot remediate this server-side dependency themselves. As a compensating control until upgrade, organizations distributing the app to managed devices can block the affected version range via MDM and force-update to 5.3.7, accepting the trade-off that users on older Android versions incompatible with 5.3.7 will lose app functionality.
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub all
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrec
Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthent
Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unaut
Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthentic
Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-p
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today