CVE-2022-30124 is an improper authentication vulnerability (CWE-287) identified in the Rocket.Chat Mobile application versions prior to 4.14.1.22788 on both iOS and Android platforms. This vulnerability allows an attacker with physical access to the device to bypass the local authentication mechanism, specifically the PIN code protection implemented within the app. The flaw arises because the app fails to properly enforce authentication controls, enabling unauthorized users to access Rocket.Chat data without needing to provide valid credentials. The vulnerability has a CVSS 3.1 base score of 6.8, indicating a medium severity level. The vector metrics highlight that the attack requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The impact is significant, affecting confidentiality, integrity, and availability (all rated high), as unauthorized access could expose sensitive communications, allow data manipulation, or disrupt service availability within the app. No known exploits are currently reported in the wild, and no official patches or updates are linked in the provided data, though the fixed version is 4.14.1.22788 or later. This vulnerability is particularly critical for organizations relying on Rocket.Chat for secure internal communications, as it undermines the local security controls designed to protect chat data on mobile devices.

For European organizations, this vulnerability poses a substantial risk, especially for entities handling sensitive or regulated information such as financial institutions, healthcare providers, government agencies, and enterprises subject to GDPR compliance. Unauthorized access to Rocket.Chat on a mobile device could lead to exposure of confidential conversations, intellectual property, or personal data, potentially resulting in data breaches and regulatory penalties. The ability to bypass local authentication without user interaction increases the risk of insider threats or opportunistic attackers exploiting lost or stolen devices. Additionally, compromised integrity could allow attackers to alter messages or inject malicious content, undermining trust in communications. Availability impacts could disrupt business operations if attackers manipulate or delete chat data. Given the widespread use of Rocket.Chat as an open-source collaboration platform in Europe, the vulnerability could affect a broad range of organizations, particularly those with mobile-first or remote workforces.

Organizations should immediately verify the version of Rocket.Chat Mobile app deployed on employee devices and ensure updates to version 4.14.1.22788 or later are applied, where the vulnerability is addressed. In the absence of an official patch, organizations should enforce device-level security controls such as full disk encryption, strong device passcodes, and remote wipe capabilities to mitigate risks from physical device compromise. Implement Mobile Device Management (MDM) solutions to control app installations and enforce security policies. Educate users on the risks of leaving devices unattended and the importance of reporting lost or stolen devices promptly. Additionally, consider restricting sensitive communications on mobile devices or using additional app-level encryption or authentication layers where feasible. Regular audits of access logs and anomaly detection can help identify unauthorized access attempts. Finally, coordinate with Rocket.Chat support or community channels to monitor for official patches and advisories.