Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/usdAG/statuses/114478194638016465">usd AG (usdag@infosec.exchange)'s status on Saturday, 10-May-2025 21:54:33 JST</a><a href="https://infosec.exchange/@usdAG" title="usdag@infosec.exchange"><img src="https://gnusocial.jp/avatar/344902-48-20250510125433.webp" width="48" height="48" alt="usd AG" style="position: absolute; left: 0; top: 0;">usd AG</a></section><article><p>We have found an interesting vulnerability in a <a href="https://infosec.exchange/tags/Matrix" rel="tag">#Matrix</a> <a href="https://infosec.exchange/tags/Android" rel="tag">#Android</a> client:</p><p>🧩 Software: <a href="https://infosec.exchange/tags/Element" rel="tag">#Element</a> X Android<br>📦 Affected Version: &lt;= 25.04.1<br>🆔 CVE: CVE-2025-27599<br>📊 CVSSv3.1: MEDIUM<br>⚠️ Prerequisites: Clicking on a crafted hyperlink or using a malicious app</p><p>Since Element X Android usually has the permission to access camera and microphone, this can be used to record audio and video from the victim. Pretty bad! 😨</p><p>🔗 Read more: <a href="https://herolab.usd.de/security-advisories/usd-2025-0010/" rel="nofollow">https://herolab.usd.de/security-advisories/usd-2025-0010/</a></p><p><a href="https://infosec.exchange/tags/InfoSec" rel="tag">#InfoSec</a> <a href="https://infosec.exchange/tags/CyberSecurity" rel="tag">#CyberSecurity</a> <a href="https://infosec.exchange/tags/Pentesting" rel="tag">#Pentesting</a> <a href="https://infosec.exchange/tags/Hacking" rel="tag">#Hacking</a> <a href="https://infosec.exchange/tags/CVE_2025_27599" rel="tag">#CVE_2025_27599</a> <a href="https://infosec.exchange/tags/SpyWare" rel="tag">#SpyWare</a> <a href="https://infosec.exchange/tags/Phishing" rel="tag">#Phishing</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5032941#notice-9865882">In conversation</a><time datetime="2025-05-10T21:54:33+09:00" title="Saturday, 10-May-2025 21:54:33 JST">about 3 days ago</time> <span>from <span><a href="https://infosec.exchange/@usdAG/114478194638016465" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@usdAG/114478194638016465">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4606401">A screenshot of Burp Suite in the background and a pixelated video of the simulated victim.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/478/189/056/745/750/original/07be07cad33db813.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/478/189/056/745/750/original/07be07cad33db813.png</a></li><li><article><header><div>Domain not in remote thumbnail source whitelist: herolab.usd.de</div><h5><a href="https://herolab.usd.de/security-advisories/usd-2025-0010/#InfoSec">usd-2025-0010</a></h5><div> from <span>lukasschraven</span></div></header><div>Advisory ID: usd-2025-0010 | Product: Element X Android | Vulnerability Type: Improper Export of Android Application Components (CWE-926)</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
usd AG (usdag@infosec.exchange)'s status on Saturday, 10-May-2025 21:54:33 JST usd AG
We have found an interesting vulnerability in a #Matrix #Android client:
🧩 Software: #Element X Android
📦 Affected Version: <= 25.04.1
🆔 CVE: CVE-2025-27599
📊 CVSSv3.1: MEDIUM
⚠️ Prerequisites: Clicking on a crafted hyperlink or using a malicious app
Since Element X Android usually has the permission to access camera and microphone, this can be used to record audio and video from the victim. Pretty bad! 😨
🔗 Read more: https://herolab.usd.de/security-advisories/usd-2025-0010/
#InfoSec #CyberSecurity #Pentesting #Hacking #CVE_2025_27599 #SpyWare #Phishing
In conversationabout 3 days ago from infosec.exchangepermalink
Attachments
1. A screenshot of Burp Suite in the background and a pixelated video of the simulated victim.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/478/189/056/745/750/original/07be07cad33db813.png
2. Domain not in remote thumbnail source whitelist: herolab.usd.de
  usd-2025-0010
  from lukasschraven
  Advisory ID: usd-2025-0010 | Product: Element X Android | Vulnerability Type: Improper Export of Android Application Components (CWE-926)

Public

Embed Notice

HTML Code

Corresponding Notice