Canara ai1 Mobile Banking CVE-2025-8207
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper export of Android application components in Canara ai1 Mobile Banking App version 3.6.23 allows local attackers with user-level privileges to access sensitive exported components via AndroidManifest.xml misconfigurations. The vulnerability enables information disclosure with low confidentiality impact. Public exploit code exists but real-world exploitation risk is minimal (EPSS 0.03%, CVSS 1.9) due to requirement for local device access and authenticated user privileges.
Technical ContextAI
This vulnerability stems from CWE-926 (Implicit Android Export of Components), a configuration flaw where Android application components (Activities, Services, Broadcast Receivers, Content Providers) defined in AndroidManifest.xml lack explicit android:exported="false" attributes. By default, components targeting Android API 31+ require explicit export declarations. When improperly configured, local applications or privileged users on the same device can interact with these components without authorization. The affected component com.canarabank.mobility in CPE version 3.6.23 (note: CPE lists 6.3.23, suggesting version discrepancy requiring vendor confirmation) exposes these components, potentially allowing other apps or local processes to invoke undocumented functionality or access data handled by these components.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires explicit configuration fix: the development team must add android:exported="false" to all unexported components (Activities, Services, Broadcast Receivers, Content Providers) in AndroidManifest.xml, or set android:exported="true" only for components intended for inter-app communication and protect them with appropriate android:permission attributes. Users should update the application when patched version becomes available; meanwhile, users can mitigate by disallowing installation of untrusted third-party applications and monitoring device for unauthorized app installations. The vendor's non-response to early disclosure suggests delayed or absent patching; affected users should monitor Canara's official app store channel and security advisories for updates. No workaround exists for already-installed vulnerable version without recompilation.
Share
External POC / Exploit Code
Leaving vuln.today