Skip to main content

Android CVE-2025-66270

| EUVD-2025-201386 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2025-12-05 cve@mitre.org
Authentication Bypass Google Android Debian Ubuntu Suse
4.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 17:08 euvd
EUVD-2025-201386
Analysis Generated
Mar 15, 2026 - 17:08 vuln.today
CVE Published
Dec 05, 2025 - 06:16 nvd
MEDIUM 4.7

DescriptionNVD

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

Analysis

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.

Technical ContextAI

An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Authentication Bypass by Spoofing (CWE-290).

RemediationAI

Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-47269 HIGH
7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
CVE-2026-8842 MEDIUM
6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti
CVE-2025-68712 MEDIUM
5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum

Vendor StatusVendor

Ubuntu

Priority: Medium
kdeconnect
Release Status Version
upstream released 25.11.80+git20251121.7090b106-1
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
plucky not-affected code not present
xenial not-affected code not present
questing released 25.08.1-0ubuntu2.1
gnome-shell-extension-gsconnect
Release Status Version
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
questing needed -
upstream released 70
plucky ignored end of life, was needed
USN-7905-1

Debian

gnome-shell-extension-gsconnect
Release Status Fixed Version Urgency
bookworm not-affected - -
trixie (security), trixie fixed 62-1+deb13u1 -
forky, sid fixed 71-1 -
trixie fixed 62-1+deb13u1 -
(unstable) fixed 71-1 -
kdeconnect
Release Status Fixed Version Urgency
bullseye not-affected - -
bookworm not-affected - -
trixie (security), trixie fixed 25.04.2-1+deb13u1 -
forky, sid fixed 25.11.80+git20251121.7090b106-1 -
trixie fixed 25.04.2-1+deb13u1 -
(unstable) fixed 25.11.80+git20251121.7090b106-1 -
DSA-6063-1 DSA-6066-1

Share

CVE-2025-66270 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy