CVE-2022-39080: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-39080 is a high-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models such as T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability stems from a missing authorization check within the messaging service, specifically related to the contacts service. This missing permission validation allows an attacker with limited privileges (low-level privileges) to elevate their access rights without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly verify whether a user or process is authorized to perform certain actions. The CVSS v3.1 score is 7.8, reflecting a high severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits in the wild have been reported, the vulnerability's nature allows an attacker with local access to escalate privileges within the contacts service, potentially leading to unauthorized access or modification of sensitive contact data and disruption of related services. The lack of a patch link suggests that remediation may require vendor intervention or updates from device manufacturers integrating these chipsets. This vulnerability is critical for devices using affected Unisoc chipsets, especially in environments where local access can be obtained or where malicious applications might exploit this flaw to gain elevated privileges.
Potential Impact
For European organizations, the impact of CVE-2022-39080 can be significant, particularly for those relying on mobile devices or embedded systems powered by Unisoc chipsets running Android 10 through 12. The elevation of privilege vulnerability in the contacts service could lead to unauthorized access to sensitive contact information, which may include personal data of employees, clients, and partners, thereby risking confidentiality breaches under GDPR regulations. Integrity of contact data could be compromised, leading to misinformation or manipulation that affects communication workflows. Availability impact could manifest as service disruptions in messaging or contacts applications, potentially hindering business operations. Organizations with Bring Your Own Device (BYOD) policies or those deploying mobile devices in critical roles (e.g., field operations, secure communications) may face increased risk. The local attack vector implies that attackers need some form of local access, which could be achieved via malicious apps or physical access, making insider threats or compromised devices a concern. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. Overall, the vulnerability poses a risk to data privacy, operational continuity, and regulatory compliance for European entities using affected devices.
Mitigation Recommendations
To mitigate CVE-2022-39080 effectively, European organizations should take a multi-layered approach: 1) Inventory and identify all devices using affected Unisoc chipsets and running Android 10, 11, or 12. 2) Engage with device manufacturers and Unisoc to obtain firmware or software updates that address the missing authorization check; prioritize deployment of patches once available. 3) Implement strict application control policies to prevent installation of untrusted or potentially malicious apps that could exploit local privilege escalation. 4) Enforce mobile device management (MDM) solutions to monitor device integrity, restrict privilege escalation attempts, and enforce security policies such as least privilege and app vetting. 5) Educate users about the risks of installing apps from untrusted sources and the importance of device security hygiene. 6) For high-security environments, consider restricting physical access to devices and employing endpoint detection and response (EDR) tools capable of identifying suspicious local privilege escalation activities. 7) Regularly audit and monitor contacts and messaging services for unusual access patterns or modifications. These targeted measures go beyond generic advice by focusing on device-specific patch management, application control, and user behavior to reduce exploitation likelihood.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Finland
CVE-2022-39080: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In messaging service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-39080 is a high-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models such as T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The vulnerability stems from a missing authorization check within the messaging service, specifically related to the contacts service. This missing permission validation allows an attacker with limited privileges (low-level privileges) to elevate their access rights without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly verify whether a user or process is authorized to perform certain actions. The CVSS v3.1 score is 7.8, reflecting a high severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits in the wild have been reported, the vulnerability's nature allows an attacker with local access to escalate privileges within the contacts service, potentially leading to unauthorized access or modification of sensitive contact data and disruption of related services. The lack of a patch link suggests that remediation may require vendor intervention or updates from device manufacturers integrating these chipsets. This vulnerability is critical for devices using affected Unisoc chipsets, especially in environments where local access can be obtained or where malicious applications might exploit this flaw to gain elevated privileges.
Potential Impact
For European organizations, the impact of CVE-2022-39080 can be significant, particularly for those relying on mobile devices or embedded systems powered by Unisoc chipsets running Android 10 through 12. The elevation of privilege vulnerability in the contacts service could lead to unauthorized access to sensitive contact information, which may include personal data of employees, clients, and partners, thereby risking confidentiality breaches under GDPR regulations. Integrity of contact data could be compromised, leading to misinformation or manipulation that affects communication workflows. Availability impact could manifest as service disruptions in messaging or contacts applications, potentially hindering business operations. Organizations with Bring Your Own Device (BYOD) policies or those deploying mobile devices in critical roles (e.g., field operations, secure communications) may face increased risk. The local attack vector implies that attackers need some form of local access, which could be achieved via malicious apps or physical access, making insider threats or compromised devices a concern. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. Overall, the vulnerability poses a risk to data privacy, operational continuity, and regulatory compliance for European entities using affected devices.
Mitigation Recommendations
To mitigate CVE-2022-39080 effectively, European organizations should take a multi-layered approach: 1) Inventory and identify all devices using affected Unisoc chipsets and running Android 10, 11, or 12. 2) Engage with device manufacturers and Unisoc to obtain firmware or software updates that address the missing authorization check; prioritize deployment of patches once available. 3) Implement strict application control policies to prevent installation of untrusted or potentially malicious apps that could exploit local privilege escalation. 4) Enforce mobile device management (MDM) solutions to monitor device integrity, restrict privilege escalation attempts, and enforce security policies such as least privilege and app vetting. 5) Educate users about the risks of installing apps from untrusted sources and the importance of device security hygiene. 6) For high-security environments, consider restricting physical access to devices and employing endpoint detection and response (EDR) tools capable of identifying suspicious local privilege escalation activities. 7) Regularly audit and monitor contacts and messaging services for unusual access patterns or modifications. These targeted measures go beyond generic advice by focusing on device-specific patch management, application control, and user behavior to reduce exploitation likelihood.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-09-01T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec679
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 11:11:53 AM
Last updated: 8/12/2025, 2:06:21 PM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.