Municorn FAX App CVE-2025-14699
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Municorn FAX App 3.27.0 on Android. This vulnerability affects unknown code of the component biz.faxapp.app. Such manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal vulnerability in Municorn FAX App 3.27.0 on Android allows local authenticated users to access files outside intended directories with low confidentiality, integrity, and availability impact. The vulnerability affects the biz.faxapp.app component and has been publicly disclosed with exploit code available, though EPSS exploitation probability remains very low at 0.04%, suggesting limited real-world attack likelihood despite public availability.
Technical ContextAI
The vulnerability is a CWE-22 path traversal flaw in an unknown code path within the Municorn FAX App's biz.faxapp.app component running on Android. Path traversal vulnerabilities typically exploit improper input validation or insufficient canonicalization of file paths, allowing attackers to navigate directory structures using sequences like '../' or absolute paths to access files outside the application's intended sandbox. On Android, this is particularly concerning in shared storage contexts or when the app handles file operations with inadequate validation. The vulnerability requires local access and authenticated privileges (PR:L per CVSS 4.0 vector), limiting its attack surface to users or processes already present on the device.
Affected ProductsAI
Municorn FAX App version 3.27.0 on Android is the confirmed affected version. The vulnerable component is identified as biz.faxapp.app. No CPE string was provided in available references. Additional version ranges and specific Android API levels are not documented in the disclosed data. Further information may be available through the vendor's app store listings or the GitHub security advisories referenced.
RemediationAI
No vendor-released patch has been identified at the time of analysis, as the vendor did not respond to early disclosure attempts. Users should immediately uninstall or cease use of Municorn FAX App version 3.27.0 if alternative FAX solutions are available. Monitor the vendor's support channels and app store listings for future security updates or patches. As a compensating control on Android devices, restrict file system permissions for the app via Android's permission manager - disable storage access if the app's core functions do not require file system interaction. Additionally, monitor local file access logs and implement device-level MDM (Mobile Device Management) restrictions to prevent untrusted apps from accessing sensitive directories. Users should avoid storing sensitive files in shared storage locations where the vulnerable app might traverse to them. These controls trade functionality and convenience for security, so evaluate the app's necessity before deploying.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today