EUVD-2026-18577
GHSA-mqg3-gfr2-qw8p
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android. This vulnerability affects unknown code of the file campusconnect/BuildConfig.java of the component campusconnect.ucc. This manipulation causes use of hard-coded cryptographic key . The attack can only be executed locally. The exploit has been published and may be used.
AnalysisAI
UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Despite the low CVSS score (1.9), this vulnerability presents moderate real-world risk due to several compounding factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A student or shared device user with physical access to an Android device running CampusConnect App 14.3.5 decompiles the APK using publicly available tools (apktool, jadx) and extracts the hard-coded cryptographic keys from the compiled BuildConfig.class file. Using the published exploit code referenced in the advisory, the attacker leverages these keys to decrypt locally cached student records, authentication tokens, or other sensitive campus data stored by the app, potentially accessing grades, personal information, or using the decrypted tokens to impersonate the legitimate user in API requests. … |
| Remediation | UCC should release a patched version of CampusConnect App (15.0.0 or later recommended) that removes all hard-coded cryptographic keys from BuildConfig.java and implements secure key management practices, such as storing keys in the Android Keystore or encrypted SharedPreferences with device-level encryption. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today