Skip to main content

SoliClub CVE-2025-7358

HIGH
Use of Hard-coded Credentials (CWE-798)
2025-12-18 iletisim@usom.gov.tr
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 05, 2026 - 15:34 vuln.today
CVE Published
Dec 18, 2025 - 15:16 nvd
HIGH 7.5

DescriptionCVE.org

Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.

This issue affects SoliClub: before 5.3.7.

AnalysisAI

Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthenticated attackers to abuse authentication and access confidential data. The flaw is tracked under CWE-798 with a CVSS 7.5 (high) confidentiality-only impact, and currently shows no public exploit identified at time of analysis with a low EPSS score of 0.06% (18th percentile).

Technical ContextAI

SoliClub is a mobile club/loyalty application distributed by Utarit Informatics Services Inc. for the Android platform, as confirmed by the CPE string cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-798 (Use of Hard-coded Credentials), a class of weakness where authentication secrets - such as API keys, service account passwords, or shared tokens - are embedded directly in the application binary or its bundled configuration. Because Android APKs can be trivially decompiled or inspected, any embedded credential becomes effectively public to anyone who downloads the app, defeating the authentication boundary it was meant to protect.

RemediationAI

The primary fix is to upgrade the SoliClub Android application to version 5.3.7 or later, per the vendor-released patch referenced in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466. Because hard-coded credentials cannot be revoked from end-user devices without an application update, the only effective remediation is the patched build; users should install it via Google Play or the vendor's official channel and uninstall outdated versions. As compensating controls until upgrade is complete, the vendor should rotate any backend credentials exposed in pre-5.3.7 builds and add server-side rate limiting or IP-based abuse detection on the endpoints those credentials authenticated to - noting the trade-off that aggressive rate limiting may briefly affect legitimate clients still running older versions during the transition.

Share

CVE-2025-7358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy