Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in information disclosure or data tampering.
AnalysisAI
Cleartext transmission of sensitive information in KDDI's Android parental-control app 'あんしんフィルター for au' (Anshin Filter for au) exposes communications to interception and modification by man-in-the-middle attackers. Versions prior to 4.9_b0003 transmit data over unencrypted channels, enabling an attacker with a privileged network position to read sensitive user data or tamper with app communications. Disclosed by JPCERT/CC (JVN#24167657), no public exploit code exists and CISA has not listed this in KEV; EPSS of 0.01% (3rd percentile) and SSVC exploitation status of 'none' confirm negligible current threat activity.
Technical ContextAI
The affected product is KDDI Corporation's Android application 'あんしんフィルター for au', a carrier-bundled parental control and content-filtering app distributed to au mobile subscribers in Japan. CWE-319 (Cleartext Transmission of Sensitive Information) indicates the application fails to use TLS/HTTPS - or uses it inconsistently - for one or more network communication paths, transmitting data that should be protected in plaintext. This class of vulnerability typically arises from hardcoded HTTP endpoints, insecure fallback logic, or misconfigured network security policy in the Android manifest. The CVSS 4.0 vector's AT:P (Attack Requirements: Present) reflects that exploitation requires the attacker to occupy a privileged network position capable of observing or modifying the device's traffic, such as a rogue Wi-Fi access point or ARP-poisoned LAN segment.
RemediationAI
The vendor-released patch is version 4.9_b0003 - users should update 'あんしんフィルター for au' to 4.9_b0003 or later via the Google Play Store or KDDI's official distribution channel. Refer to the JPCERT/CC advisory at https://jvn.jp/en/jp/JVN24167657/ for official guidance. Until patching is possible, users should avoid using the application on untrusted or public Wi-Fi networks, as these represent the primary attack surface for MITM interception; using a trusted mobile data (cellular) connection reduces but does not eliminate positional MITM risk. Enterprise or managed-device deployments using MDM solutions may consider restricting the app's network access to known-safe SSIDs as a compensating control, though this introduces usability constraints for mobile users.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30207
GHSA-j234-63rh-5m6p