CVE-2025-10971 identifies a vulnerability classified under CWE-922 (Insecure Storage of Sensitive Information) in the MeetMe application developed by FERMAX ELECTRÓNICA S.A.U. This flaw affects versions up to 2.2.5 on iOS and Android platforms. The vulnerability arises because the application improperly stores sensitive data embedded within it, which can be retrieved by an attacker without requiring privileges or user interaction, though with high attack complexity and requiring local access (AV:L, AC:H, AT:P, PR:N, UI:N). The CVSS 4.0 vector indicates that exploitation requires local access, high complexity, and partial attack prerequisites, but no privileges or user interaction. The impact on confidentiality, integrity, and availability is high, indicating that sensitive data exposure could lead to significant compromise of user privacy and system trustworthiness. No patches are currently linked, and no known exploits exist in the wild, but the vulnerability's presence in a widely used mobile app for communication or access control systems makes it a critical concern. The insecure storage could allow attackers to extract credentials, tokens, or other sensitive embedded data, potentially enabling further attacks or unauthorized access. The vulnerability was reserved in late September 2025 and published in December 2025, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2025-10971 is substantial, especially those relying on MeetMe for secure communication, building access control, or IoT device management. Exposure of embedded sensitive data can lead to unauthorized access, data breaches, and compromise of operational security. Confidentiality breaches could expose user credentials or cryptographic keys, enabling lateral movement or impersonation attacks. Integrity and availability impacts could arise if attackers manipulate or disrupt the app’s functions after gaining sensitive information. Given the high CVSS score and the nature of the vulnerability, organizations could face regulatory penalties under GDPR if personal data is compromised. The lack of current exploits does not diminish the risk, as attackers could develop exploits rapidly once details are public. The vulnerability’s requirement for local access limits remote exploitation but does not eliminate risk in environments where devices are shared, lost, or physically accessed by malicious actors. This threat is particularly critical for sectors such as critical infrastructure, government facilities, and enterprises with high security requirements.

Immediate mitigation involves monitoring FERMAX ELECTRÓNICA S.A.U communications for official patches and applying updates as soon as they become available. Until patches are released, organizations should restrict physical access to devices running MeetMe, enforce strong device-level encryption, and implement mobile device management (MDM) policies to control app usage and data storage. Conduct regular audits of devices for unauthorized access or data extraction attempts. Developers and administrators should review and enhance secure storage mechanisms, such as using platform-provided secure enclaves or keychains, and avoid embedding sensitive data directly in the app. Employ runtime application self-protection (RASP) and integrity checks to detect tampering. Additionally, educate users on the risks of device sharing and the importance of securing mobile devices. Incident response plans should be updated to address potential data leakage scenarios related to this vulnerability.