Skip to main content

Motorola Factory Test EUVDEUVD-2026-30942

| CVE-2026-5804 HIGH
2026-05-19 lenovo GHSA-5g7p-w325-jqc4
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 19, 2026 - 16:30 vuln.today
Patch available
May 19, 2026 - 16:02 EUVD

DescriptionCVE.org

An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings.

AnalysisAI

Authentication bypass in the Motorola Factory Test component (com.motorola.motocit) on Motorola phones lets a co-resident Android app abuse an exposed writable file descriptor in external storage to stand up a TCP server, harvest protected settings, and act with the factory-test app's elevated permissions. The flaw is locally exploitable by any installed third-party app with low privileges and carries CVSS 4.0 score 8.4 with high confidentiality and integrity impact. No public exploit identified at time of analysis and not listed in CISA KEV.

Technical ContextAI

The bug lives in com.motorola.motocit, the pre-installed Motorola Factory Test (MotoCit) system app shipped on Motorola/Lenovo Android handsets (CPE cpe:2.3:a:motorola:phones). The component holds and leaks a reference to a writable file descriptor that resolves into external (world-readable) storage; because Android's FD inheritance and external-storage semantics let other apps reach that descriptor, a sibling unprivileged app can reuse it to bind a TCP listener inside the factory-test app's security context. That listener then services requests as the privileged component, sidestepping the Android permission model. No CWE was assigned, but the behavior maps to the CWE-287 (Improper Authentication) / CWE-732 (Incorrect Permission Assignment) family, with vendor and ENISA EUVD-2026-30942 tagging it as Authentication Bypass.

RemediationAI

Apply the Motorola security update dated 2026-04-05 or later, which patches the com.motorola.motocit component on affected handsets - installation guidance and per-model availability is tracked at https://en-us.support.motorola.com/app/answers/detail/a_id/192534. Where the OTA is not yet available for a given model, compensating controls are limited because the factory-test app is a non-removable system component: restrict sideloading and Unknown Sources, audit installed third-party apps for ones requesting external-storage or network privileges (which would let them reach the leaked descriptor and bind the rogue TCP server), and consider disabling com.motorola.motocit via adb (pm disable-user) on managed/enterprise devices, accepting the trade-off that future device diagnostics or RMA workflows depending on factory test may fail. Network-level egress filtering on the device's interfaces will not stop this since the TCP server is local to the handset.

Share

EUVD-2026-30942 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy