Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Local malicious app (AV:L, PR:L) abuses unauthenticated service crossing the sandbox boundary (S:C); primary impact is partition writes and property changes (I:H/A:H) with limited data disclosure (C:L).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
Red Magic 11 Pro (NX809J) contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific partitions and set writable system properties.
AnalysisAI
Local privilege escalation in the Red Magic 11 Pro (NX809J) gaming smartphone through firmware V1.0.0B14MR1 allows a non-privileged installed application to invoke a sensitive service interface that fails to validate its callers, letting the app write files to specific device partitions and set writable system properties. Reported by ZTE/Nubia through their own support bulletin, the issue is rated CVSS 8.8 with a scope change (S:C) reflecting the crossing of the app-sandbox privilege boundary into system context. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and CISA SSVC records exploitation status as none.
Technical ContextAI
The affected component is an Android system service exposed by ZTE/Nubia's Red Magic firmware (CPE cpe:2.3:a:zte:red_magic_11_pro_(nx809j)) that offers a service interface (likely a bound Binder/AIDL service or exported provider) intended for privileged operations such as partition writes and system-property mutation. The root cause is CWE-269 (Improper Privilege Management): the service does not authenticate or authorize the calling application, so any third-party app running with ordinary, non-privileged Android permissions can reach operations that should be restricted to system/OEM-signed callers. On Android, writing to protected partitions and setting persistent/system-scoped properties normally requires system UID or SELinux domains far above an untrusted app, so the missing caller validation collapses that boundary.
RemediationAI
Update the Red Magic 11 Pro (NX809J) to the firmware version that supersedes V1.0.0B14MR1 as directed by ZTE's security bulletin (https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8224335890517684583); no exact fixed build number is stated in the available data, so confirm the patched version directly with the vendor advisory before deploying. As compensating controls until patched, restrict app installation to trusted sources only (disable sideloading/unknown-sources installs, which reduces convenience for power users), avoid installing untrusted or low-reputation apps since exploitation requires attacker-controlled code on the device, and enterprise/MDM fleets should gate this model or enforce that no third-party APKs are permitted. Because the flaw is reachable by any local app, the only complete fix is the firmware update; the sideloading restrictions merely shrink the pool of potential malicious callers rather than closing the interface.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23388