Smartbit CommV Smartschool App CVE-2025-14702
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal vulnerability in Smartbit CommV Smartschool App up to version 10.4.4 allows local authenticated attackers to manipulate the SplashActivity component and access or modify files outside intended directories. The vendor has not responded to early disclosure notification, and public exploit code is available.
Technical ContextAI
The vulnerability exists in the be.smartschool.mobile.SplashActivity component of the Smartschool mobile application, affecting file path handling mechanisms. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates the application fails to properly validate or sanitize file path inputs before using them in file system operations. This allows attackers to use directory traversal sequences (such as '../') to escape intended directory boundaries and access arbitrary files on the device filesystem within the scope of the application's permissions.
Affected ProductsAI
Smartbit CommV Smartschool App versions up to and including 10.4.4 are affected. The vulnerable component is be.smartschool.mobile.SplashActivity. No patched version has been released by the vendor as of the time of this analysis.
RemediationAI
No vendor-released patch is available at this time due to lack of vendor response to disclosure. Users should immediately upgrade to a version newer than 10.4.4 if released by the vendor, or contact Smartbit CommV directly to request a security update. In the interim, apply device-level compensating controls: restrict physical access to devices running Smartschool App, implement mobile device management (MDM) policies to prevent installation of unauthorized applications that could facilitate privilege escalation into the Smartschool context, disable SplashActivity if functionally possible through app configuration, and monitor file system access patterns for evidence of path traversal exploitation. Organizations deploying this application should escalate vendor engagement through their procurement or support channels to pressure a security response, and consider evaluating alternative solutions if the vendor remains unresponsive.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today