CVE-2022-38670: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-38670 is a high-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability stems from a missing authorization check within the soundrecorder service, which is responsible for handling audio recording functionalities. Due to this missing permission validation, an attacker with limited privileges (local access with low privileges) can exploit this flaw to elevate their privileges specifically within the contacts service. This elevation of privilege allows the attacker to gain high confidentiality, integrity, and availability impact on the contacts data, potentially enabling unauthorized access, modification, or deletion of sensitive contact information. The CVSS 3.1 score of 7.8 reflects the high impact and relatively low complexity of exploitation, requiring no user interaction but limited to local access with some privileges. Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk due to the sensitive nature of contact data and the widespread use of affected chipsets in various Android devices. The flaw is categorized under CWE-862 (Missing Authorization), indicating a failure to properly enforce access controls, which is a critical security oversight in system services that manage sensitive user data.
Potential Impact
For European organizations, the impact of CVE-2022-38670 can be substantial, especially for enterprises and government entities relying on mobile devices powered by Unisoc chipsets. The contacts service often contains sensitive personal and professional information, including client contacts, internal communication channels, and confidential business relationships. Unauthorized access or modification of this data can lead to privacy violations, data breaches, and potential regulatory non-compliance under GDPR. Additionally, the elevation of privilege could be leveraged as a stepping stone for further attacks on the device or network, potentially compromising organizational security. The vulnerability's presence in Android versions 10 through 12 means a broad range of devices remain at risk, including those used by employees for work-related communications. This could affect sectors such as finance, healthcare, and public administration, where contact data integrity and confidentiality are paramount. Moreover, the lack of user interaction required for exploitation increases the risk of automated or stealthy attacks within corporate environments.
Mitigation Recommendations
To mitigate CVE-2022-38670 effectively, European organizations should: 1) Identify and inventory all mobile devices using Unisoc chipsets running Android 10, 11, or 12 within their environment. 2) Work with device manufacturers and Unisoc to obtain and apply any available security patches or firmware updates addressing this vulnerability. 3) If patches are unavailable, consider restricting the use of affected devices for sensitive communications or deploying mobile device management (MDM) solutions to enforce strict application permissions and monitor unusual behavior in the soundrecorder and contacts services. 4) Implement strict access controls and privilege management on mobile devices to limit local user privileges, reducing the attack surface for privilege escalation. 5) Educate users about the risks of installing untrusted applications or granting excessive permissions that could exploit this vulnerability. 6) Monitor device logs and network traffic for anomalies indicative of exploitation attempts targeting the contacts or soundrecorder services. 7) Consider isolating or segmenting mobile devices in the corporate network to limit lateral movement if compromise occurs.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Finland
CVE-2022-38670: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-38670 is a high-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability stems from a missing authorization check within the soundrecorder service, which is responsible for handling audio recording functionalities. Due to this missing permission validation, an attacker with limited privileges (local access with low privileges) can exploit this flaw to elevate their privileges specifically within the contacts service. This elevation of privilege allows the attacker to gain high confidentiality, integrity, and availability impact on the contacts data, potentially enabling unauthorized access, modification, or deletion of sensitive contact information. The CVSS 3.1 score of 7.8 reflects the high impact and relatively low complexity of exploitation, requiring no user interaction but limited to local access with some privileges. Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk due to the sensitive nature of contact data and the widespread use of affected chipsets in various Android devices. The flaw is categorized under CWE-862 (Missing Authorization), indicating a failure to properly enforce access controls, which is a critical security oversight in system services that manage sensitive user data.
Potential Impact
For European organizations, the impact of CVE-2022-38670 can be substantial, especially for enterprises and government entities relying on mobile devices powered by Unisoc chipsets. The contacts service often contains sensitive personal and professional information, including client contacts, internal communication channels, and confidential business relationships. Unauthorized access or modification of this data can lead to privacy violations, data breaches, and potential regulatory non-compliance under GDPR. Additionally, the elevation of privilege could be leveraged as a stepping stone for further attacks on the device or network, potentially compromising organizational security. The vulnerability's presence in Android versions 10 through 12 means a broad range of devices remain at risk, including those used by employees for work-related communications. This could affect sectors such as finance, healthcare, and public administration, where contact data integrity and confidentiality are paramount. Moreover, the lack of user interaction required for exploitation increases the risk of automated or stealthy attacks within corporate environments.
Mitigation Recommendations
To mitigate CVE-2022-38670 effectively, European organizations should: 1) Identify and inventory all mobile devices using Unisoc chipsets running Android 10, 11, or 12 within their environment. 2) Work with device manufacturers and Unisoc to obtain and apply any available security patches or firmware updates addressing this vulnerability. 3) If patches are unavailable, consider restricting the use of affected devices for sensitive communications or deploying mobile device management (MDM) solutions to enforce strict application permissions and monitor unusual behavior in the soundrecorder and contacts services. 4) Implement strict access controls and privilege management on mobile devices to limit local user privileges, reducing the attack surface for privilege escalation. 5) Educate users about the risks of installing untrusted applications or granting excessive permissions that could exploit this vulnerability. 6) Monitor device logs and network traffic for anomalies indicative of exploitation attempts targeting the contacts or soundrecorder services. 7) Consider isolating or segmenting mobile devices in the corporate network to limit lateral movement if compromise occurs.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-08-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec417
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/6/2025, 8:42:24 AM
Last updated: 7/31/2025, 6:53:35 PM
Views: 12
Related Threats
CVE-2025-9002: SQL Injection in Surbowl dormitory-management-php
MediumCVE-2025-9001: Stack-based Buffer Overflow in LemonOS
MediumCVE-2025-8867: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iqonicdesign Graphina – Elementor Charts and Graphs
MediumCVE-2025-8680: CWE-918 Server-Side Request Forgery (SSRF) in bplugins B Slider- Gutenberg Slider Block for WP
MediumCVE-2025-8676: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bplugins B Slider- Gutenberg Slider Block for WP
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.