Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in applications preloaded on Bluebird smartphones
17 July 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-5344
Publication date 17 July 2025
Vendor Bluebird
Product com.bluebird.kiosk.launcher
Vulnerable versions All before 1.1.2
Vulnerability type (CWE) Improper Export of Android Application Components (CWE-926)
Report source Report to CERT Polska
CVE ID CVE-2025-5345
Publication date 17 July 2025
Vendor Bluebird
Product com.bluebird.filemanagers
Vulnerable versions 1.4.4
Vulnerability type (CWE) Improper Export of Android Application Components (CWE-926)
Report source Report to CERT Polska
CVE ID CVE-2025-5346
Publication date 17 July 2025
Vendor Bluebird
Product kr.co.bluebird.android.bbsettings
Vulnerable versions All before 1.3.3
Vulnerability type (CWE) Improper Export of Android Application Components (CWE-926)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in applications preloaded on Bluebird smartphones and participated in coordination of their disclosure.

The vulnerability CVE-2025-5344: Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider com.bluebird.kiosk.launcher.IpartnerKioskRemoteService. A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image.

This issue affects all versions before 1.1.2.

The vulnerability CVE-2025-5345: Bluebird devices contain a pre-loaded file manager application. This application exposes an unsecured service provider com.bluebird.system.koreanpost.IsdcardRemoteService. A local attacker can bind to the AIDL-type service to copy and delete arbitrary files from device's storage with system-level permissions.

Version 1.4.4 is vulnerable, vendor reverted vulnerable versions to older version: 1.3.6

The vulnerability CVE-2025-5346: Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver kr.co.bluebird.android.bbsettings.BootReceiver. A local attacker can call the receiver to overwrite file containing .json keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file.

This issue affects all versions before 1.3.3.

Credits

We thank Szymon Chadam for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.