CVE-2025-10971 is classified under CWE-922, which pertains to the insecure storage of sensitive information. The vulnerability exists in the MeetMe application developed by FERMAX ELECTRÓNICA S.A.U, affecting versions up to 2.2.5 on both iOS and Android platforms. The core issue is that sensitive data embedded within the application is stored insecurely, making it retrievable by unauthorized parties. The CVSS 4.0 vector indicates that exploitation requires local access (AV:L), high attack complexity (AC:H), partial privileges (AT:P), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability at high levels, with scope and security impact also high. This suggests that an attacker with local access but limited privileges could extract sensitive data, potentially leading to data leakage, unauthorized data manipulation, or disruption of service. The lack of known exploits in the wild suggests it is not yet actively exploited, but the severity score and nature of the vulnerability make it a critical concern. The absence of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate vendor response and user caution. The vulnerability affects embedded sensitive data storage mechanisms, which could include credentials, tokens, or other confidential information stored insecurely on mobile devices, increasing the risk of compromise if devices are lost, stolen, or accessed by malicious actors.

For European organizations, the insecure storage of sensitive information in MeetMe could lead to significant data breaches, especially if the app is used in environments handling confidential communications or operational data. Compromise of embedded sensitive data could facilitate unauthorized access to corporate networks or services, leading to further exploitation or lateral movement within IT infrastructure. The impact extends to potential regulatory non-compliance under GDPR due to exposure of personal data, resulting in legal and financial penalties. Operationally, organizations relying on MeetMe for communication or access control could face disruptions if attackers manipulate or extract critical data. The vulnerability's requirement for local access limits remote exploitation but raises concerns for organizations with mobile workforce or BYOD policies, where device theft or loss is a risk. The high attack complexity and partial privileges required reduce the likelihood of widespread exploitation but do not eliminate the threat, especially from insider threats or targeted attacks. Overall, the vulnerability poses a high risk to confidentiality and integrity of sensitive information within European enterprises using the affected app.

FERMAX ELECTRÓNICA S.A.U should prioritize developing and releasing a security patch that properly secures sensitive data storage within the MeetMe app, employing strong encryption and secure storage APIs compliant with platform best practices. Until a patch is available, organizations should enforce strict mobile device management (MDM) policies, including device encryption, strong authentication, and remote wipe capabilities to mitigate risks from lost or stolen devices. Users should be advised to avoid installing or using vulnerable versions of MeetMe and to update immediately once a patch is released. Conducting security audits and penetration testing on mobile applications can help identify similar issues proactively. Additionally, organizations should monitor for unusual local access attempts and educate employees about the risks of insecure app data storage. Implementing application-level encryption for sensitive data and restricting app permissions can further reduce exposure. Finally, maintaining an inventory of mobile applications and their versions across the organization will aid in rapid response and patch management.