CVE-2025-10718 is a medium-severity vulnerability affecting the Ooma Office Business Phone App on Android versions up to 7.2.2. The vulnerability arises from improper export of Android application components within the app, specifically related to the component identified as com.ooma.office2. Improper export means that certain app components (such as activities, services, or broadcast receivers) are made accessible to other apps or processes without proper access controls. This can allow a local attacker—someone with physical or logical access to the device—to interact with these components in unintended ways. The vulnerability does not require user interaction or elevated privileges beyond what a local attacker would have, but it does require local access to the device. The CVSS 4.0 vector indicates low attack complexity and low privileges required, with no user interaction needed. The impact affects confidentiality, integrity, and availability at a low level, as the components are improperly exposed but the scope and severity of potential exploitation are limited. The vendor was notified but did not respond, and no patches or mitigations have been published at this time. The exploit details have been made public, increasing the risk of exploitation by local attackers. Since the vulnerability affects a business phone app, it could potentially expose sensitive communications or allow unauthorized manipulation of telephony functions within the app, though the exact impact depends on the specific components exposed and their privileges within the app.

For European organizations using the Ooma Office Business Phone App on Android devices, this vulnerability could lead to unauthorized local access to sensitive telephony functions or data. This could include interception or manipulation of business calls, exposure of contact information, or unauthorized initiation or termination of calls. While the attack requires local access to the device, this is a realistic threat in environments where devices are shared, lost, or physically accessible to malicious insiders or visitors. The improper export of components could also be leveraged as part of a larger attack chain to escalate privileges or move laterally within a corporate network. Given the app’s role in business communications, disruption or compromise could impact operational continuity and confidentiality of communications. The medium severity rating reflects that while the vulnerability is not remotely exploitable, the potential for local abuse in sensitive business contexts is significant. Organizations with mobile workforces or shared device environments are particularly at risk.

1. Immediately audit all Android devices running Ooma Office Business Phone App versions 7.2.0 through 7.2.2 to identify vulnerable installations. 2. Restrict physical and logical access to devices running the app to trusted personnel only, minimizing risk of local exploitation. 3. Implement mobile device management (MDM) policies to enforce device encryption, strong authentication, and remote wipe capabilities to mitigate risks from lost or stolen devices. 4. Monitor devices for unusual app behavior or unauthorized access attempts to the Ooma app components. 5. Until a vendor patch is available, consider temporarily disabling or uninstalling the app on devices where local access cannot be strictly controlled. 6. Engage with Ooma support channels to request a security update or patch addressing this vulnerability. 7. Educate users on the risks of local device compromise and enforce strict device usage policies in sensitive environments. 8. For organizations developing internal security tools, consider scanning Android apps for exported components and verifying proper access controls as part of app vetting.