CVE-2025-14698 identifies a path traversal vulnerability in the atlaszz AI Photo Team Galleryit App version 1.3.8.2 on Android devices. The vulnerability resides within the gallery.photogallery.pictures.vault.album component, where improper validation of file path inputs allows an attacker to traverse directories outside the intended scope. This can lead to unauthorized access to files stored on the device, potentially exposing sensitive user or corporate data. The attack vector is local, meaning the attacker must have physical or logical access to the device with at least limited privileges (PR:L). No user interaction is required to exploit the vulnerability, and the attack complexity is low (AC:L). The CVSS 4.0 base score is 4.8, reflecting medium severity, with partial impact on confidentiality, integrity, and availability. The vendor was notified early but has not issued any patch or response, and a public exploit is available, increasing the risk of exploitation. Although no known exploits in the wild have been reported, the availability of a public exploit and lack of vendor response make this a concern for users of the affected app version. The vulnerability does not require network access or elevated privileges beyond local access, limiting the attack scope but still posing a risk to device data security.

For European organizations, this vulnerability could lead to unauthorized local access to sensitive files on Android devices running the affected Galleryit App version 1.3.8.2. This is particularly concerning for corporate environments where employees use personal or company-issued Android devices for work, potentially exposing confidential business information or personal data protected under GDPR. The path traversal could allow attackers to read or manipulate files outside the app’s intended directory, risking data confidentiality and integrity. Although exploitation requires local access, insider threats or compromised devices could leverage this vulnerability to escalate data exposure. The lack of vendor response and patch availability prolongs the window of exposure. While availability impact is limited, the confidentiality breach potential is significant, especially for sectors handling sensitive data such as finance, healthcare, and government agencies within Europe.

1. Restrict physical and logical access to devices running the vulnerable app, enforcing strong device access controls such as biometric or PIN authentication. 2. Implement mobile device management (MDM) solutions to monitor and control app installations and usage, preventing unauthorized apps or versions from running. 3. Enforce strict app permission policies limiting file system access and isolate sensitive data using containerization or sandboxing techniques. 4. Monitor file system activity on devices for unusual access patterns indicative of path traversal exploitation attempts. 5. Educate users about the risks of installing untrusted apps and the importance of device security hygiene. 6. Encourage the vendor to release a patch or consider alternative secure photo gallery apps until a fix is available. 7. Regularly audit devices for the presence of the vulnerable app version and remove or update it where possible. 8. For corporate environments, consider restricting use of the Galleryit App on work devices until the vulnerability is resolved.