EUVD-2026-18597
GHSA-8f3q-gr5f-wwhg
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key . The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today