Skip to main content

CVE-2024-39442: cwe-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T750/T765/T760/T770/T820/S8000/T8300/T9300

Medium
VulnerabilityCVE-2024-39442cvecve-2024-39442cwe-862
Published: Tue May 06 2025 (05/06/2025, 01:07:27 UTC)
Source: CVE
Vendor/Project: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T750/T765/T760/T770/T820/S8000/T8300/T9300

Description

In sprd ssense service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

AI-Powered Analysis

AILast updated: 07/06/2025, 19:40:57 UTC

Technical Analysis

CVE-2024-39442 is a medium-severity vulnerability identified in the sprd ssense service of several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC7731E, SC9832E, SC9863A, and multiple T-series models (T310, T606, T612, T616, T610, T618, T750, T765, T760, T770, T820, S8000, T8300, T9300). These chipsets are integrated into devices running Android versions 13, 14, and 15. The vulnerability stems from a missing authorization check (CWE-862) within the sprd ssense service, which is a system-level service likely responsible for sensor or device-specific functions. Due to the lack of proper permission validation, a local attacker or malicious application without elevated privileges can access sensitive information that should otherwise be protected. The vulnerability does not require any additional execution privileges or user interaction, making exploitation easier in a local context. The CVSS 3.1 base score is 6.2, reflecting a medium severity with a high impact on confidentiality but no impact on integrity or availability. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability could allow unauthorized disclosure of sensitive data stored or processed by the sprd ssense service, potentially exposing user data or device internals to local adversaries.

Potential Impact

For European organizations, the impact of CVE-2024-39442 depends on the deployment of devices using affected Unisoc chipsets running Android 13 to 15. Since the vulnerability allows local information disclosure without elevated privileges, it could facilitate further attacks by leaking sensitive data such as device identifiers, sensor data, or other protected information. This could undermine user privacy and potentially aid in device profiling or targeted attacks. Enterprises relying on mobile devices with these chipsets for critical communications or data access may face increased risk of data leakage. Additionally, sectors with stringent data protection requirements (e.g., finance, healthcare, government) could see compliance risks if sensitive information is exposed. The lack of requirement for user interaction or privileges means that malicious apps or insiders with physical or local access could exploit this vulnerability more easily. However, since the attack vector is local, remote exploitation is not feasible, limiting the threat to scenarios where an attacker has device access or can install apps.

Mitigation Recommendations

To mitigate CVE-2024-39442, European organizations should: 1) Identify and inventory devices using affected Unisoc chipsets and running Android 13, 14, or 15. 2) Monitor vendor communications and Unisoc advisories for patches or firmware updates addressing this vulnerability and apply them promptly once available. 3) Restrict installation of untrusted or third-party applications on devices, employing mobile device management (MDM) solutions to enforce app whitelisting and permissions. 4) Implement strict physical security controls to prevent unauthorized local access to devices. 5) Use endpoint detection and response (EDR) tools capable of detecting suspicious local activity that could indicate exploitation attempts. 6) Educate users about the risks of installing unverified apps and the importance of device security hygiene. 7) For highly sensitive environments, consider using devices with chipsets from vendors with faster patch cycles or verified security track records until patches are available. 8) Conduct regular security assessments and penetration tests focusing on local privilege escalation and information disclosure vectors to identify potential exploitation paths.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Unisoc
Date Reserved
2024-06-25T06:13:32.360Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981cc4522896dcbdac6d

Added to database: 5/21/2025, 9:08:44 AM

Last enriched: 7/6/2025, 7:40:57 PM

Last updated: 8/15/2025, 1:51:13 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats