Is there a public PoC exploit available for CVE-2025-7889?

Yes, a public proof-of-concept exploit is available for CVE-2025-7889. Prioritise patching immediately. EPSS: 0.0%.

CallApp Caller ID CVE-2025-7889

Q: What is the CVSS score of CVE-2025-7889?

CVE-2025-7889 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Export of Android Application Components (CWE-926)

2025-07-20 cna@vuldb.com

Information Disclosure Google Callapp

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:24 vuln.today

DescriptionCVE.org

A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

CallApp Caller ID App versions up to 2.0.4 on Android improperly export application components via AndroidManifest.xml misconfiguration, allowing local authenticated attackers to access sensitive functionality with limited information disclosure impact. The vulnerability has been publicly disclosed with exploit code available, though the CVSS score of 1.9 and EPSS of 0.03% indicate minimal real-world exploitation risk despite public POC availability.

Technical ContextAI

The vulnerability stems from improper Android component export configuration in the AndroidManifest.xml file of the CallApp component (caller.id.phone.number.block). Android applications must explicitly declare which components (activities, services, broadcast receivers, content providers) are accessible to other applications via the 'exported' attribute or intent-filters. CWE-926 (Implicit Android Explicit Intent) and related implicit/explicit export issues allow local applications to interact with unexported or improperly exported components, potentially bypassing intended access controls. The affected CPE indicates this affects CallApp versions across all builds for Android platform.

RemediationAI

Users should update CallApp Caller ID to version 2.0.5 or later if available from the Google Play Store, though vendor responsiveness to this disclosure is unknown. If no updated version is available, uninstall the application and use alternative caller ID solutions from vendors with active security response programs. As a compensating control, restrict third-party app permissions in Android Settings → Apps → Permissions, specifically denying unnecessary permissions to other installed applications. Users should also review Android Settings → Apps → Special app access → Device admin apps and remove CallApp if granted device administrator privileges, as this could amplify component export risks. Given the low practical impact (information disclosure only, not code execution), application removal is optional for most users unless the app is no longer actively maintained.

CVE-2025-7889 vulnerability details – vuln.today

Back