CVE-2022-38697: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In messaging service, there is a missing permission check. This could lead to access unexpected provider in contacts service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-38697 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability is categorized under CWE-862, which refers to missing authorization checks. Specifically, the flaw exists in the messaging service component where a permission check is missing. This omission allows unauthorized access to a provider within the contacts service without requiring additional execution privileges or user interaction. The vulnerability has a CVSS 3.1 base score of 5.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reveals that the attack requires local access (AV:L) with low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits are reported in the wild, and no official patches have been linked yet. The vulnerability could allow a local attacker or malicious app with limited privileges to access sensitive contact information by bypassing authorization controls in the messaging service, potentially leading to privacy breaches or data leakage.
Potential Impact
For European organizations, this vulnerability poses a significant privacy risk, especially for sectors handling sensitive personal data such as healthcare, finance, and government. The unauthorized access to contact information could lead to exposure of personally identifiable information (PII), facilitating targeted phishing, social engineering attacks, or identity theft. Since the vulnerability affects devices running Android 10 to 12 on Unisoc chipsets, organizations with employees or customers using such devices may face increased risk of data leakage. The local attack vector means that malicious apps or insiders with device access could exploit this flaw without needing elevated privileges or user interaction. This could undermine trust in mobile device security and complicate compliance with GDPR regulations concerning data protection and breach notification. Additionally, the lack of patches increases the window of exposure, making timely mitigation critical.
Mitigation Recommendations
European organizations should implement a multi-layered mitigation strategy beyond generic advice: 1) Device Inventory and Management: Identify and catalog all mobile devices using Unisoc chipsets running Android 10-12 within the organization. 2) Application Control: Restrict installation of untrusted or unnecessary apps through Mobile Device Management (MDM) solutions to reduce the risk of local exploitation. 3) Least Privilege Enforcement: Ensure apps requesting access to contacts or messaging services have appropriate permissions and monitor for anomalous access patterns. 4) Network Segmentation: Limit sensitive data access on mobile devices by enforcing VPN usage and segregating critical network resources. 5) User Awareness: Educate users about risks of installing unknown apps and encourage reporting of suspicious device behavior. 6) Vendor Engagement: Actively monitor Unisoc and device manufacturers for patch releases and apply updates promptly once available. 7) Incident Response Preparedness: Develop procedures to detect and respond to potential exploitation attempts, including monitoring for unusual access to contacts data. 8) Alternative Device Usage: For high-risk roles, consider provisioning devices with chipsets not affected by this vulnerability or running updated OS versions beyond Android 12 if possible.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Finland
CVE-2022-38697: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In messaging service, there is a missing permission check. This could lead to access unexpected provider in contacts service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-38697 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability is categorized under CWE-862, which refers to missing authorization checks. Specifically, the flaw exists in the messaging service component where a permission check is missing. This omission allows unauthorized access to a provider within the contacts service without requiring additional execution privileges or user interaction. The vulnerability has a CVSS 3.1 base score of 5.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reveals that the attack requires local access (AV:L) with low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits are reported in the wild, and no official patches have been linked yet. The vulnerability could allow a local attacker or malicious app with limited privileges to access sensitive contact information by bypassing authorization controls in the messaging service, potentially leading to privacy breaches or data leakage.
Potential Impact
For European organizations, this vulnerability poses a significant privacy risk, especially for sectors handling sensitive personal data such as healthcare, finance, and government. The unauthorized access to contact information could lead to exposure of personally identifiable information (PII), facilitating targeted phishing, social engineering attacks, or identity theft. Since the vulnerability affects devices running Android 10 to 12 on Unisoc chipsets, organizations with employees or customers using such devices may face increased risk of data leakage. The local attack vector means that malicious apps or insiders with device access could exploit this flaw without needing elevated privileges or user interaction. This could undermine trust in mobile device security and complicate compliance with GDPR regulations concerning data protection and breach notification. Additionally, the lack of patches increases the window of exposure, making timely mitigation critical.
Mitigation Recommendations
European organizations should implement a multi-layered mitigation strategy beyond generic advice: 1) Device Inventory and Management: Identify and catalog all mobile devices using Unisoc chipsets running Android 10-12 within the organization. 2) Application Control: Restrict installation of untrusted or unnecessary apps through Mobile Device Management (MDM) solutions to reduce the risk of local exploitation. 3) Least Privilege Enforcement: Ensure apps requesting access to contacts or messaging services have appropriate permissions and monitor for anomalous access patterns. 4) Network Segmentation: Limit sensitive data access on mobile devices by enforcing VPN usage and segregating critical network resources. 5) User Awareness: Educate users about risks of installing unknown apps and encourage reporting of suspicious device behavior. 6) Vendor Engagement: Actively monitor Unisoc and device manufacturers for patch releases and apply updates promptly once available. 7) Incident Response Preparedness: Develop procedures to detect and respond to potential exploitation attempts, including monitoring for unusual access to contacts data. 8) Alternative Device Usage: For high-risk roles, consider provisioning devices with chipsets not affected by this vulnerability or running updated OS versions beyond Android 12 if possible.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-08-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec65c
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 10:58:32 AM
Last updated: 7/30/2025, 1:59:51 AM
Views: 10
Related Threats
CVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.