InstantBits Web Video Cast CVE-2025-7891
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in InstantBits Web Video Cast App up to 5.12.4 on Android. It has been rated as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.instantbits.cast.webvideo. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
InstantBits Web Video Cast on Android versions up to 5.12.4 improperly exports application components via AndroidManifest.xml configuration, allowing local attackers with user privileges to access sensitive functionality without authentication. The vulnerability has a CVSS score of 1.9 with low confidentiality impact and no integrity or availability impact, but is rated problematic due to the disclosure of exploitation techniques and vendor non-responsiveness. This is a local, low-severity information disclosure issue affecting only users with direct device access.
Technical ContextAI
The vulnerability stems from improper configuration in AndroidManifest.xml, the Android application manifest file that declares application components (Activities, Services, Broadcast Receivers, Content Providers). CWE-926 (Implicit Trust of Untrusted Data Source) indicates that the application fails to properly protect exported components from unauthorized access. In Android, components marked as exported or lacking proper permission restrictions can be invoked by other applications or local processes. The issue affects the com.instantbits.cast.webvideo package and involves failure to properly restrict component access through intent filters or permission declarations, allowing any local application or process with user-level privileges to interact with exported components.
RemediationAI
No vendor-released patch is available at time of analysis due to vendor non-responsiveness. Users should upgrade to a patched version if the vendor releases one, or consider uninstalling the application if information disclosure risk is unacceptable. For organizations requiring the Web Video Cast functionality, compensating controls include: (1) restricting device access to trusted users only via device-level access controls and MDM policies, reducing attack surface to legitimate device users; (2) monitoring Android system logs for unexpected inter-application component invocations targeting com.instantbits.cast.webvideo via ADB logcat or security monitoring tools to detect exploitation attempts; (3) disabling or revoking the application from user devices if alternative casting solutions (native Android Cast, Google Home app) are available. Note that local mitigations are limited by the user-privilege nature of the attack - primary defense relies on physical device security and user education regarding untrusted application installation.
Share
External POC / Exploit Code
Leaving vuln.today