CVE-2025-10195 is a medium-severity vulnerability affecting version 2.4.2 of the Seismic App on Android. The issue stems from improper exportation of Android application components declared in the AndroidManifest.xml file, specifically within the component identified as com.seismic.doccenter. In Android applications, components such as activities, services, broadcast receivers, and content providers can be exported to allow interaction with other applications or system components. Improper export occurs when components are unintentionally made accessible to other apps or users without adequate access controls, potentially exposing sensitive functionality or data. This vulnerability requires local access, meaning an attacker must have physical or logical access to the device where the app is installed. The vulnerability does not require user interaction or elevated privileges beyond low privileges, making it easier to exploit once local access is obtained. The CVSS 4.0 vector indicates low attack complexity and no user interaction, but limited scope and impact on confidentiality, integrity, and availability. The vendor has been notified but has not responded or issued a patch, and no known exploits are currently in the wild. The vulnerability could allow an attacker with local access to interact with the improperly exported component, potentially leading to unauthorized data access or manipulation within the app's context. Given the app's role in document management or sales enablement (typical for Seismic App), sensitive business information could be at risk if exploited.

For European organizations using Seismic App 2.4.2 on Android devices, this vulnerability could lead to unauthorized local access to sensitive corporate documents or data managed by the app. While remote exploitation is not possible, insider threats or attackers with temporary device access could leverage this flaw to extract or manipulate confidential information. This risk is particularly relevant for sectors handling sensitive or regulated data such as finance, healthcare, legal, and government institutions. The lack of vendor response and patch availability increases the window of exposure. Additionally, the vulnerability could undermine trust in mobile device security policies and complicate compliance with data protection regulations like GDPR if sensitive personal or corporate data is compromised. However, the medium severity and local attack vector limit the overall risk to scenarios involving physical device compromise or insider threat actors.

European organizations should implement the following specific mitigations: 1) Immediately audit all Android devices running Seismic App 2.4.2 to identify affected installations. 2) Restrict physical and logical access to devices with the app installed, enforcing strong device-level authentication and encryption to reduce local attack feasibility. 3) Employ Mobile Device Management (MDM) solutions to monitor app usage and detect suspicious local activity or unauthorized access attempts. 4) Where possible, disable or restrict the use of the Seismic App on Android devices until a patched version is available. 5) Engage with the vendor or seek alternative secure applications with active maintenance and security responsiveness. 6) Educate users about the risks of leaving devices unattended or lending them to untrusted parties. 7) Monitor for any emerging exploit code or public proof-of-concept releases to adjust defensive measures promptly. 8) Consider implementing application sandboxing or containerization to isolate the app and limit potential damage from exploitation.