Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings.
AnalysisAI
Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.
Technical ContextAI
The bug lives in com.motorola.motocit, the pre-installed Motorola Factory Test (MotoCit) system app shipped on Motorola/Lenovo Android handsets (CPE cpe:2.3:a:motorola:phones). The component holds and leaks a reference to a writable file descriptor that resolves into external (world-readable) storage; because Android's FD inheritance and external-storage semantics let other apps reach that descriptor, a sibling unprivileged app can reuse it to bind a TCP listener inside the factory-test app's security context. That listener then services requests as the privileged component, sidestepping the Android permission model. No CWE was assigned, but the behavior maps to the CWE-287 (Improper Authentication) / CWE-732 (Incorrect Permission Assignment) family, with vendor and ENISA EUVD-2026-30942 tagging it as Authentication Bypass.
RemediationAI
Apply the Motorola security update dated 2026-04-05 or later, which patches the com.motorola.motocit component on affected handsets - installation guidance and per-model availability is tracked at https://en-us.support.motorola.com/app/answers/detail/a_id/192534. Where the OTA is not yet available for a given model, compensating controls are limited because the factory-test app is a non-removable system component: restrict sideloading and Unknown Sources, audit installed third-party apps for ones requesting external-storage or network privileges (which would let them reach the leaked descriptor and bind the rogue TCP server), and consider disabling com.motorola.motocit via adb (pm disable-user) on managed/enterprise devices, accepting the trade-off that future device diagnostics or RMA workflows depending on factory test may fail. Network-level egress filtering on the device's interfaces will not stop this since the TCP server is local to the handset.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30942
GHSA-5g7p-w325-jqc4