CVE-2021-41849

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software.

Se ha detectado un problema en Luna Simo versión PPR1.180610.011/202001031830. Envía la siguiente Información de Identificación Personal (PII) en texto plano usando HTTP a servidores ubicados en China: la lista de aplicaciones instaladas por el usuario y la identidad internacional de equipo móvil (IMEI) del dispositivo. Esta PII es transmitida a log.skyroam.com.cn mediante HTTP, independientemente de que el usuario use el software Simo

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-10-01 CVE Reserved
2022-03-11 CVE Published
2024-06-02 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-319: Cleartext Transmission of Sensitive Information

CAPEC

References (4)

URL	Tag	Source
https://athack.com/session-details/401	Third Party Advisory
https://www.kryptowire.com/android-firmware-2022	Broken Link

URL	Date	SRC
https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://simowireless.com	2023-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bluproducts Search vendor "Bluproducts"	G90 Firmware Search vendor "Bluproducts" for product "G90 Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	G90 Search vendor "Bluproducts" for product "G90"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	G9 Firmware Search vendor "Bluproducts" for product "G9 Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	G9 Search vendor "Bluproducts" for product "G9"	-	-	Safe
Wikomobile Search vendor "Wikomobile"	Tommy 3 Firmware Search vendor "Wikomobile" for product "Tommy 3 Firmware"	-	-	Affected	in	Wikomobile Search vendor "Wikomobile"	Tommy 3 Search vendor "Wikomobile" for product "Tommy 3"	-	-	Safe
Wikomobile Search vendor "Wikomobile"	Tommy 3 Plus Firmware Search vendor "Wikomobile" for product "Tommy 3 Plus Firmware"	-	-	Affected	in	Wikomobile Search vendor "Wikomobile"	Tommy 3 Plus Search vendor "Wikomobile" for product "Tommy 3 Plus"	-	-	Safe
Luna Search vendor "Luna"	Simo Firmware Search vendor "Luna" for product "Simo Firmware"	-	-	Affected	in	Luna Search vendor "Luna"	Simo Search vendor "Luna" for product "Simo"	-	-	Safe