SoliClub
CVE-2025-7358
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.
This issue affects SoliClub: before 5.3.7.
AnalysisAI
Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthenticated attackers to abuse authentication and access confidential data. The flaw is tracked under CWE-798 with a CVSS 7.5 (high) confidentiality-only impact, and currently shows no public exploit identified at time of analysis with a low EPSS score of 0.06% (18th percentile).
Technical ContextAI
SoliClub is a mobile club/loyalty application distributed by Utarit Informatics Services Inc. for the Android platform, as confirmed by the CPE string cpe:2.3:a:utarit:soliclub:*:*:*:*:*:android:*:*. The root cause is CWE-798 (Use of Hard-coded Credentials), a class of weakness where authentication secrets - such as API keys, service account passwords, or shared tokens - are embedded directly in the application binary or its bundled configuration. Because Android APKs can be trivially decompiled or inspected, any embedded credential becomes effectively public to anyone who downloads the app, defeating the authentication boundary it was meant to protect.
RemediationAI
The primary fix is to upgrade the SoliClub Android application to version 5.3.7 or later, per the vendor-released patch referenced in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0466. Because hard-coded credentials cannot be revoked from end-user devices without an application update, the only effective remediation is the patched build; users should install it via Google Play or the vendor's official channel and uninstall outdated versions. As compensating controls until upgrade is complete, the vendor should rotate any backend credentials exposed in pre-5.3.7 builds and add server-side rate limiting or IP-based abuse detection on the endpoints those credentials authenticated to - noting the trade-off that aggressive rate limiting may briefly affect legitimate clients still running older versions during the transition.
Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub all
Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrec
Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unaut
Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote u
Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthentic
Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-p
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today