CVE-2025-25983:

A vulnerability in Macro-video Technologies Co., Ltd V380 Pro Android app versions 2.1.44 and 2.1.64 allows an attacker to obtain sensitive information through the QE code-based sharing component.

Score
A numerical rating that indicates how dangerous this vulnerability is.

3.4Low

Published Date:Apr 18, 2025
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.2
EPSS Percentile:37%

Exploitability

Score:1.7
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:HIGH
User Interaction:REQUIRED
Scope:CHANGED

Impact

Score:1.4
Confidentiality Impact:LOW
Integrity Impact:NONE
Availability Impact:NONE

Description Preview

A vulnerability in Macro-video Technologies Co., Ltd V380 Pro Android app versions 2.1.44 and 2.1.64 allows an attacker to obtain sensitive information through the QE code-based sharing component.

Overview

An issue in Macro-video Technologies Co.,Ltd V380 Pro Android app 2.1.44 and V380 Pro Android app 2.1.64 allows an attacker to obtain sensitive information via the QE code-based sharing component. The underlying problems include storing passwords in a recoverable format (CWE-257) and an overreliance on obscurity for security (CWE-656). The vulnerability is exploitable over the network and requires user interaction, with high privileges needed for exploitation. The CVSS v3.1 base score is 3.4 (LOW), indicating a relatively modest overall risk but with potential sensitivity exposure for credential data.

Remediation

1) Identify and apply patches or upgrade to a fixed version if provided by the vendor for the V380 Pro app, specifically addressing the QE code-based sharing component.
2) Stop storing credentials in recoverable formats. Move to secure storage such as Android Keystore or encrypted storage and, where possible, replace password-based flows with short-lived tokens or server-side authentication tokens.
3) Harden the QE code-based sharing component or disable it if it is not essential, and enforce strict access controls and authentication for any sharing functionality.
4) Implement secure-by-default practices: encrypt data at rest and in transit (TLS), remove plaintext credential caches, and ensure credentials are never transmitted in cleartext or stored in reversible formats.
5) Conduct secure code reviews and security testing (static/dynamic analysis, penetration testing) focused on credential handling and the sharing component; remediate any additional weaknesses found.
6) Monitor for anomalous usage of the sharing feature and provide user advisories. If you are a developer or vendor, release a security advisory with remediation steps and timelines to affected users.