Skip to main content

Municorn FAX App CVE-2025-14699

LOW
Path Traversal (CWE-22)
2025-12-15 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:47 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Municorn FAX App 3.27.0 on Android. This vulnerability affects unknown code of the component biz.faxapp.app. Such manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal vulnerability in Municorn FAX App 3.27.0 on Android allows local authenticated users to access files outside intended directories with low confidentiality, integrity, and availability impact. The vulnerability affects the biz.faxapp.app component and has been publicly disclosed with exploit code available, though EPSS exploitation probability remains very low at 0.04%, suggesting limited real-world attack likelihood despite public availability.

Technical ContextAI

The vulnerability is a CWE-22 path traversal flaw in an unknown code path within the Municorn FAX App's biz.faxapp.app component running on Android. Path traversal vulnerabilities typically exploit improper input validation or insufficient canonicalization of file paths, allowing attackers to navigate directory structures using sequences like '../' or absolute paths to access files outside the application's intended sandbox. On Android, this is particularly concerning in shared storage contexts or when the app handles file operations with inadequate validation. The vulnerability requires local access and authenticated privileges (PR:L per CVSS 4.0 vector), limiting its attack surface to users or processes already present on the device.

Affected ProductsAI

Municorn FAX App version 3.27.0 on Android is the confirmed affected version. The vulnerable component is identified as biz.faxapp.app. No CPE string was provided in available references. Additional version ranges and specific Android API levels are not documented in the disclosed data. Further information may be available through the vendor's app store listings or the GitHub security advisories referenced.

RemediationAI

No vendor-released patch has been identified at the time of analysis, as the vendor did not respond to early disclosure attempts. Users should immediately uninstall or cease use of Municorn FAX App version 3.27.0 if alternative FAX solutions are available. Monitor the vendor's support channels and app store listings for future security updates or patches. As a compensating control on Android devices, restrict file system permissions for the app via Android's permission manager - disable storage access if the app's core functions do not require file system interaction. Additionally, monitor local file access logs and implement device-level MDM (Mobile Device Management) restrictions to prevent untrusted apps from accessing sensitive directories. Users should avoid storing sensitive files in shared storage locations where the vulnerable app might traverse to them. These controls trade functionality and convenience for security, so evaluate the app's necessity before deploying.

Share

CVE-2025-14699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy