How to fix EUVD-2025-18369?

Within 24 hours: Identify all instances of com.afmobi.boomplayer deployed across your environment and notify affected users of the critical vulnerability. Within 7 days: Implement application restrictions through MDM policies (disable, uninstall, or restrict to WiFi-only with monitoring) and escalate with the vendor for patch timeline. Within 30 days: Monitor vendor communications for patch availability and prepare deployment procedures; conduct a security assessment of any data accessed through this application during the vulnerability window.

Is Android affected by EUVD-2025-18369?

A critical permission vulnerability in the BoomPlayer mobile application (CVE-2025-6172) could allow unauthorized users to perform operations without proper authentication or authorization.

EUVD-2025-18369

| CVE-2025-6172 CRITICAL

2025-06-16 907edf6c-bf03-423e-ab1a-8da27e1aa1ea

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18369

CVE Published

Jun 16, 2025 - 09:15 nvd

CRITICAL 9.8

Description

Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation.

Analysis

Critical permission vulnerability in the BoomPlayer mobile application (com.afmobi.boomplayer) that allows unauthenticated remote attackers to perform unauthorized operations with complete compromise of confidentiality, integrity, and availability. The vulnerability carries a maximum CVSS score of 9.8 and is classified as an improper authentication/authorization defect (CWE-287); exploitation requires no user interaction and can be triggered over the network, making it a severe risk to all users of this application.

Technical Context

The vulnerability resides in the BoomPlayer Android application (package identifier: com.afmobi.boomplayer) and involves improper permission handling or missing authentication checks (CWE-287: Improper Authentication). This class of vulnerability typically manifests when the application fails to properly validate user identity or enforce role-based access controls before exposing sensitive operations. The root cause likely involves: (1) missing or inadequate permission declarations in the Android manifest, (2) unprotected exported components (Activities, Services, Broadcast Receivers, or Content Providers), or (3) insufficient runtime permission validation. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U confirms the vulnerability is network-accessible with low attack complexity, requiring no privileges or user interaction, and maintains the same privilege scope before and after exploitation. This suggests either a completely unauthenticated API endpoint or an exported Android component accessible to any installed application or remote caller.

Affected Products

BoomPlayer (All versions prior to patch release (specific patched version not provided in CVE data))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

EUVD-2025-18369 vulnerability details – vuln.today

Back

EUVD-2025-18369

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-18369

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code