IDnow App
CVE-2025-7892
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic has been found in IDnow App up to 9.6.0 on Android. This affects an unknown part of the file AndroidManifest.xml of the component de.idnow. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
IDnow App for Android up to version 9.6.0 improperly exports application components via AndroidManifest.xml misconfiguration, allowing local attackers with user-level privileges to access sensitive functionality or information disclosure. The vulnerability is classified as low severity (CVSS 1.9) with publicly available exploit code, but the vendor has not responded to disclosure and no patch has been released. While exploitation requires local device access and legitimate app installation, the improper component export could enable privilege escalation or data theft when combined with other vulnerabilities.
Technical ContextAI
Android application components (Activities, Services, BroadcastReceivers, ContentProviders) are declared in AndroidManifest.xml with export attributes that control inter-process communication (IPC). CWE-926 (Impolite Implicit Intent Creation) and related improper component export flaws occur when sensitive components lack the android:exported='false' attribute or explicitly set android:exported='true' without proper permission guards. The IDnow component 'de.idnow' in this app has failed to properly restrict component visibility, allowing any installed application or local process with user-level privileges to interact with exported components via explicit or implicit intents. This is a manifest-level configuration vulnerability rather than code logic flaw, making it easily discoverable through static analysis of the APK.
RemediationAI
The primary remediation is for IDnow to release a patched version (9.6.1 or later) with corrected AndroidManifest.xml entries, explicitly setting android:exported='false' for all internal components and adding appropriate permission restrictions via android:permission attributes for any intentionally exported components. No vendor-released patch has been identified at the time of analysis, and the vendor has not responded to disclosure. Users should monitor the Google Play Store or IDnow's official channels for a security update and install it immediately once available. As a compensating control pending patching, users should restrict which other applications are installed on the same device, avoid sideloading untrusted APKs, and use device-level security features (work profiles, Knox security on Samsung devices) to isolate the IDnow app. Alternatively, organization administrators deploying IDnow for identity verification should consider device management policies that limit app installation to trusted sources. Note: Uninstalling and reinstalling the app will not resolve this issue as the vulnerability is embedded in the app binary itself. Developers integrating IDnow should verify IPC component security in future versions before deployment.
Share
External POC / Exploit Code
Leaving vuln.today