CVE-2017-13160:

Remote code execution vulnerability in the Android Bluetooth stack affecting Android 7.0, 7.1.1, 7.1.2 and 8.0 (CVE-2017-13160). An attacker could potentially execute arbitrary code on a device via crafted Bluetooth data, with the issue documented in the December 2017 Android security bulletin.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Dec 6, 2017
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:1.3
EPSS Percentile:79%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

This CVE describes a remote code execution flaw in Android’s Bluetooth subsystem that impacts multiple Android releases (7.0, 7.1.1, 7.1.2, 8.0). It was publicly documented in the December 2017 Android security bulletin, indicating the severity of the issue and the need for applying the relevant security updates to mitigate the risk.

Remediation

Apply the latest Android security updates and patches corresponding to the December 2017 bulletin (or later) to affected devices, ensuring that CVE-2017-13160 is addressed.
If timely patching is not possible, disable Bluetooth on devices or keep Bluetooth non-discoverable and restrict pairing to reduce exposure.
Enforce device-wide security hardening and patch management in managed environments (e.g., via MDM) to accelerate update rollout and verification.
Monitor vendor advisories and CVE references (e.g., Android bulletin 2017-12-01) for any follow-up guidance or fixes and validate patch installation in testing before broad deployment.