Skip to main content

Smartbit CommV Smartschool App CVE-2025-14702

LOW
Path Traversal (CWE-22)
2025-12-15 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:47 vuln.today

DescriptionCVE.org

A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal vulnerability in Smartbit CommV Smartschool App up to version 10.4.4 allows local authenticated attackers to manipulate the SplashActivity component and access or modify files outside intended directories. The vendor has not responded to early disclosure notification, and public exploit code is available.

Technical ContextAI

The vulnerability exists in the be.smartschool.mobile.SplashActivity component of the Smartschool mobile application, affecting file path handling mechanisms. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates the application fails to properly validate or sanitize file path inputs before using them in file system operations. This allows attackers to use directory traversal sequences (such as '../') to escape intended directory boundaries and access arbitrary files on the device filesystem within the scope of the application's permissions.

Affected ProductsAI

Smartbit CommV Smartschool App versions up to and including 10.4.4 are affected. The vulnerable component is be.smartschool.mobile.SplashActivity. No patched version has been released by the vendor as of the time of this analysis.

RemediationAI

No vendor-released patch is available at this time due to lack of vendor response to disclosure. Users should immediately upgrade to a version newer than 10.4.4 if released by the vendor, or contact Smartbit CommV directly to request a security update. In the interim, apply device-level compensating controls: restrict physical access to devices running Smartschool App, implement mobile device management (MDM) policies to prevent installation of unauthorized applications that could facilitate privilege escalation into the Smartschool context, disable SplashActivity if functionally possible through app configuration, and monitor file system access patterns for evidence of path traversal exploitation. Organizations deploying this application should escalate vendor engagement through their procurement or support channels to pressure a security response, and consider evaluating alternative solutions if the vendor remains unresponsive.

Share

CVE-2025-14702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy