Skip to main content

SoliClub CVE-2025-1029

HIGH
Use of Hard-coded Credentials (CWE-798)
2025-12-18 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 08:31 vuln.today
CVE Published
Dec 18, 2025 - 15:15 nvd
HIGH 7.5

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.

This issue affects SoliClub: from 5.2.4 before 5.3.7.

AnalysisAI

Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote unauthenticated attackers to read sensitive constants embedded within the executable. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.5 with high confidentiality impact but no integrity or availability effect; no public exploit identified at time of analysis and EPSS is very low at 0.04%.

Technical ContextAI

SoliClub is a mobile loyalty/membership Android application published by Utarit Information Services, as confirmed by the CPE string cpe:2.3:a:utarit:soliclub targeting the android platform. The root cause maps to CWE-798 (Use of Hard-coded Credentials), meaning secrets such as API keys, tokens, or backend credentials are compiled directly into the APK binary. Because Android applications are distributed as easily decompilable packages, any constant embedded in DEX/native code can be extracted with standard reverse-engineering tooling (apktool, jadx, strings), exposing the secret to anyone who downloads the app from the Play Store or an APK mirror.

RemediationAI

Vendor-released patch: SoliClub 5.3.7 - upgrade the Android application to 5.3.7 or later via Google Play, as described in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466. Because the hard-coded secret has been exposed in distributed binaries, the vendor should additionally rotate and revoke any embedded credentials, API keys, or tokens on the backend so previously extracted values cannot be reused even against unpatched clients; consumers cannot remediate this server-side dependency themselves. As a compensating control until upgrade, organizations distributing the app to managed devices can block the affected version range via MDM and force-update to 5.3.7, accepting the trade-off that users on older Android versions incompatible with 5.3.7 will lose app functionality.

Share

CVE-2025-1029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy