CVE-2022-38698: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-38698 is a high-severity vulnerability identified in several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, specifically the SC9863A, SC9832E, SC7731E, and multiple other models used in mobile devices running Android 10, 11, and 12. The vulnerability stems from a missing authorization check within the messaging service component. This flaw allows an attacker with limited privileges (local access with low privileges) to elevate their privileges within the contacts service without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the affected component fails to properly verify whether the requesting entity has the necessary permissions to perform certain actions. The CVSS v3.1 base score is 7.8, reflecting a high severity due to the combined impact on confidentiality, integrity, and availability, and the relatively low complexity of exploitation. The attack vector is local (AV:L), requiring the attacker to have local access to the device, but no user interaction is needed (UI:N). The vulnerability affects a broad range of Unisoc chipsets commonly integrated into budget and mid-range smartphones, potentially impacting millions of devices globally. Although no known exploits are currently reported in the wild, the vulnerability's nature could allow an attacker to manipulate or access sensitive contact information or escalate privileges to perform unauthorized actions within the device's contacts service, potentially leading to further compromise or data leakage.
Potential Impact
For European organizations, especially those whose employees use devices powered by Unisoc chipsets running affected Android versions, this vulnerability poses a significant risk. The elevation of privilege could allow attackers to access or modify sensitive contact information, which may include personal, corporate, or client data, leading to confidentiality breaches. Furthermore, the ability to escalate privileges within the contacts service could be leveraged as a foothold for lateral movement or further exploitation on the device, potentially compromising corporate networks if such devices are connected. The impact is heightened in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Additionally, the vulnerability could undermine trust in mobile device security, complicating compliance with GDPR and other privacy regulations if personal data is exposed or manipulated. Given the local attack vector, the threat is more relevant in scenarios where devices are physically accessible or where malicious applications with limited privileges are installed, such as through social engineering or sideloading.
Mitigation Recommendations
To mitigate this vulnerability effectively, organizations should: 1) Ensure that all affected devices receive and apply security patches or firmware updates from device manufacturers or Unisoc as soon as they become available, even if no official patch links are currently published; 2) Implement strict mobile device management (MDM) policies to control application installation, preventing unauthorized or untrusted apps that could exploit local vulnerabilities; 3) Enforce device encryption and strong authentication mechanisms to reduce the risk of unauthorized local access; 4) Educate users about the risks of installing apps from untrusted sources and the importance of physical device security; 5) Monitor devices for unusual behavior indicative of privilege escalation attempts, such as unexpected access to contacts or messaging services; 6) For organizations deploying custom Android builds or firmware, review and harden permission checks in messaging and contacts services to prevent missing authorization issues; 7) Collaborate with device vendors to obtain timely updates and verify the integrity of firmware and software components.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Poland, Netherlands
CVE-2022-38698: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-38698 is a high-severity vulnerability identified in several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, specifically the SC9863A, SC9832E, SC7731E, and multiple other models used in mobile devices running Android 10, 11, and 12. The vulnerability stems from a missing authorization check within the messaging service component. This flaw allows an attacker with limited privileges (local access with low privileges) to elevate their privileges within the contacts service without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the affected component fails to properly verify whether the requesting entity has the necessary permissions to perform certain actions. The CVSS v3.1 base score is 7.8, reflecting a high severity due to the combined impact on confidentiality, integrity, and availability, and the relatively low complexity of exploitation. The attack vector is local (AV:L), requiring the attacker to have local access to the device, but no user interaction is needed (UI:N). The vulnerability affects a broad range of Unisoc chipsets commonly integrated into budget and mid-range smartphones, potentially impacting millions of devices globally. Although no known exploits are currently reported in the wild, the vulnerability's nature could allow an attacker to manipulate or access sensitive contact information or escalate privileges to perform unauthorized actions within the device's contacts service, potentially leading to further compromise or data leakage.
Potential Impact
For European organizations, especially those whose employees use devices powered by Unisoc chipsets running affected Android versions, this vulnerability poses a significant risk. The elevation of privilege could allow attackers to access or modify sensitive contact information, which may include personal, corporate, or client data, leading to confidentiality breaches. Furthermore, the ability to escalate privileges within the contacts service could be leveraged as a foothold for lateral movement or further exploitation on the device, potentially compromising corporate networks if such devices are connected. The impact is heightened in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Additionally, the vulnerability could undermine trust in mobile device security, complicating compliance with GDPR and other privacy regulations if personal data is exposed or manipulated. Given the local attack vector, the threat is more relevant in scenarios where devices are physically accessible or where malicious applications with limited privileges are installed, such as through social engineering or sideloading.
Mitigation Recommendations
To mitigate this vulnerability effectively, organizations should: 1) Ensure that all affected devices receive and apply security patches or firmware updates from device manufacturers or Unisoc as soon as they become available, even if no official patch links are currently published; 2) Implement strict mobile device management (MDM) policies to control application installation, preventing unauthorized or untrusted apps that could exploit local vulnerabilities; 3) Enforce device encryption and strong authentication mechanisms to reduce the risk of unauthorized local access; 4) Educate users about the risks of installing apps from untrusted sources and the importance of physical device security; 5) Monitor devices for unusual behavior indicative of privilege escalation attempts, such as unexpected access to contacts or messaging services; 6) For organizations deploying custom Android builds or firmware, review and harden permission checks in messaging and contacts services to prevent missing authorization issues; 7) Collaborate with device vendors to obtain timely updates and verify the integrity of firmware and software components.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-08-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec65e
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 11:09:34 AM
Last updated: 7/30/2025, 6:52:50 PM
Views: 9
Related Threats
CVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.