SailingLab AppLock CVE-2025-68708
LOWSeverity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
AnalysisAI
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Technical ContextAI
SailingLab AppLock (package com.alpha.applock, version 4.3.8) implements its locking mechanism as an Android WindowManager overlay drawn atop target applications rather than using Android's sanctioned security surfaces such as KeyguardManager, BiometricPrompt, or DevicePolicyManager. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) precisely describes this root cause: the overlay layer can be bypassed by triggering exposed Android Activity or Intent routes - specifically via advertisement intents or browser deep-links - that navigate around the overlay without ever invoking the PIN verification code path. Android's intent system allows third-party apps and browser navigations to launch registered Activity components; if those components are exported or reachable through advertisement SDKs embedded in AppLock, an attacker can redirect the UI flow to a state where the overlay is absent. The CPE entry is listed as n/a in the NVD, meaning the product is not formally catalogued in the National Vulnerability Database's product dictionary, which reduces automated detection coverage for asset inventory tools.
RemediationAI
No vendor-released patch has been identified at time of analysis; no fixed version number is available from the provided intelligence sources. Users should check the Google Play listing (https://play.google.com/store/apps/details?id=com.alpha.applock) for any updates released after version 4.3.8. As a compensating control, users requiring app-level locking should migrate to Android's built-in screen pinning or device administrator features, or use app-locking solutions that integrate with BiometricPrompt and KeyguardManager APIs rather than overlay-based approaches - the trade-off is reduced feature flexibility but a fundamentally more secure authentication path. Disabling the AppLock overlay for individual apps via the app's own settings eliminates the false sense of security without relying on the bypass-prone overlay. On corporate-managed devices, MDM-enforced app restrictions or Android Enterprise work profiles should replace third-party overlay lockers entirely. The researcher disclosure is available at https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 for technical detail.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today