Is there a public PoC exploit available for CVE-2025-8258?

Yes, a public proof-of-concept exploit is available for CVE-2025-8258. Prioritise patching immediately. EPSS: 0.0%.

Cool Mo Maigcal Number CVE-2025-8258

Q: What is the CVSS score of CVE-2025-8258?

CVE-2025-8258 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Export of Android Application Components (CWE-926)

2025-07-28 cna@vuldb.com

Information Disclosure Google Maigcal Number

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:17 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as problematic, has been found in Cool Mo Maigcal Number App up to 1.0.3 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.sdmagic.number. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cool Mo Maigcal Number App versions 1.0.0 through 1.0.3 on Android contain improper export of application components in AndroidManifest.xml, allowing local authenticated attackers to access sensitive functionality of the com.sdmagic.number component. While CVSS severity is minimal (1.9), publicly available exploit code exists; exploitation requires local device access and authenticated privileges but carries information disclosure impact.

Technical ContextAI

The vulnerability stems from insecure AndroidManifest.xml configuration (CWE-926: Improper Export of Android Application Components), where the com.sdmagic.number component lacks proper intent-filter restrictions or explicit exported=false declarations. On Android, exported components without proper access controls can be invoked by other applications or local processes with authenticated privileges, bypassing intended security boundaries. The affected versions 1.0.0-1.0.3 fail to properly restrict component exposure, allowing escalation of privileges for local attackers who have already gained user-level authentication on the device.

RemediationAI

Update Cool Mo Maigcal Number to a version later than 1.0.3 if available from the vendor, or contact the developer (Cool Mo) for patched releases. If no patched version is available, implement AndroidManifest.xml hardening by explicitly setting exported="false" on the com.sdmagic.number component and its related activities/services/broadcast receivers. Restrict component visibility by removing unnecessary intent-filters or by adding explicit permission requirements (android:permission) to limit which apps can invoke the component. Additionally, enforce device-level controls: restrict app installation to trusted sources only, review app permissions during install, and monitor local app interactions through security monitoring solutions. The primary mitigation path is vendor patching; defensive configurations are secondary measures that require direct manifest modification and may conflict with app functionality.

CVE-2025-8258 vulnerability details – vuln.today

Back