CVE-2022-39102: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
AI Analysis
Technical Summary
CVE-2022-39102 is a high-severity vulnerability identified in the power management service of multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The root cause of the vulnerability is a missing authorization check (CWE-862) within the power management service, which allows an attacker with limited privileges (low-level privileges) to configure or manipulate power management settings without requiring additional execution privileges or user interaction. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation of this vulnerability could allow an attacker to escalate privileges or disrupt device operations by manipulating power management functions, potentially leading to denial of service, unauthorized access to sensitive information, or persistent control over the affected device. Although no known exploits are currently reported in the wild, the vulnerability's nature and impact warrant proactive mitigation. The affected chipsets are commonly found in budget and mid-range smartphones and IoT devices, particularly those manufactured or using Unisoc SoCs, which are prevalent in certain markets globally, including parts of Europe. The vulnerability's exploitation requires local access with low privileges but no user interaction, making it a significant risk if an attacker gains initial foothold on the device.
Potential Impact
For European organizations, especially those deploying devices with Unisoc chipsets running Android 10 to 12, this vulnerability poses a substantial risk. The ability to bypass authorization in the power management service can lead to unauthorized privilege escalation, enabling attackers to gain deeper control over devices. This can compromise confidentiality by exposing sensitive data, integrity by allowing unauthorized changes to system configurations, and availability by enabling denial-of-service conditions through power management manipulation. Organizations relying on mobile devices for critical communications, field operations, or IoT deployments may face operational disruptions or data breaches. Additionally, sectors such as telecommunications, manufacturing, and public services that utilize devices with these chipsets could be targeted for espionage or sabotage. The lack of user interaction requirement increases the risk of stealthy exploitation once an attacker has local access, which could be achieved via other vulnerabilities or physical access. The absence of known exploits in the wild suggests limited current exploitation but does not diminish the potential impact if weaponized.
Mitigation Recommendations
1. Immediate deployment of firmware or software updates from device manufacturers or Unisoc that address the missing authorization check is critical. Organizations should liaise with vendors to obtain patches or updated firmware versions. 2. Implement strict device access controls to limit local access to trusted users only, reducing the risk of an attacker gaining the low-level privileges needed to exploit this vulnerability. 3. Employ mobile device management (MDM) solutions to monitor and restrict unauthorized configuration changes, including power management settings. 4. Conduct regular security audits and vulnerability assessments on devices using affected chipsets to detect signs of exploitation or misconfiguration. 5. For IoT deployments, segment networks to isolate vulnerable devices and limit lateral movement in case of compromise. 6. Educate users and administrators about the risks of unauthorized device access and enforce strong authentication mechanisms to prevent privilege escalation. 7. Monitor security advisories from Unisoc and Android ecosystem partners for updates or new exploit information to respond promptly. 8. Where possible, consider replacing or upgrading devices with affected chipsets to more secure alternatives if patching is not feasible within operational constraints.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Poland, Netherlands, Belgium, Czech Republic, Hungary
CVE-2022-39102: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000
Description
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.
AI-Powered Analysis
Technical Analysis
CVE-2022-39102 is a high-severity vulnerability identified in the power management service of multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, T610, T310, T606, T760, T618, T612, T616, T770, T820, and S8000. These chipsets are integrated into devices running Android versions 10, 11, and 12. The root cause of the vulnerability is a missing authorization check (CWE-862) within the power management service, which allows an attacker with limited privileges (low-level privileges) to configure or manipulate power management settings without requiring additional execution privileges or user interaction. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation of this vulnerability could allow an attacker to escalate privileges or disrupt device operations by manipulating power management functions, potentially leading to denial of service, unauthorized access to sensitive information, or persistent control over the affected device. Although no known exploits are currently reported in the wild, the vulnerability's nature and impact warrant proactive mitigation. The affected chipsets are commonly found in budget and mid-range smartphones and IoT devices, particularly those manufactured or using Unisoc SoCs, which are prevalent in certain markets globally, including parts of Europe. The vulnerability's exploitation requires local access with low privileges but no user interaction, making it a significant risk if an attacker gains initial foothold on the device.
Potential Impact
For European organizations, especially those deploying devices with Unisoc chipsets running Android 10 to 12, this vulnerability poses a substantial risk. The ability to bypass authorization in the power management service can lead to unauthorized privilege escalation, enabling attackers to gain deeper control over devices. This can compromise confidentiality by exposing sensitive data, integrity by allowing unauthorized changes to system configurations, and availability by enabling denial-of-service conditions through power management manipulation. Organizations relying on mobile devices for critical communications, field operations, or IoT deployments may face operational disruptions or data breaches. Additionally, sectors such as telecommunications, manufacturing, and public services that utilize devices with these chipsets could be targeted for espionage or sabotage. The lack of user interaction requirement increases the risk of stealthy exploitation once an attacker has local access, which could be achieved via other vulnerabilities or physical access. The absence of known exploits in the wild suggests limited current exploitation but does not diminish the potential impact if weaponized.
Mitigation Recommendations
1. Immediate deployment of firmware or software updates from device manufacturers or Unisoc that address the missing authorization check is critical. Organizations should liaise with vendors to obtain patches or updated firmware versions. 2. Implement strict device access controls to limit local access to trusted users only, reducing the risk of an attacker gaining the low-level privileges needed to exploit this vulnerability. 3. Employ mobile device management (MDM) solutions to monitor and restrict unauthorized configuration changes, including power management settings. 4. Conduct regular security audits and vulnerability assessments on devices using affected chipsets to detect signs of exploitation or misconfiguration. 5. For IoT deployments, segment networks to isolate vulnerable devices and limit lateral movement in case of compromise. 6. Educate users and administrators about the risks of unauthorized device access and enforce strong authentication mechanisms to prevent privilege escalation. 7. Monitor security advisories from Unisoc and Android ecosystem partners for updates or new exploit information to respond promptly. 8. Where possible, consider replacing or upgrading devices with affected chipsets to more secure alternatives if patching is not feasible within operational constraints.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2022-09-01T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9840c4522896dcbf153b
Added to database: 5/21/2025, 9:09:20 AM
Last enriched: 6/21/2025, 11:50:39 PM
Last updated: 8/12/2025, 3:06:41 PM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.