CVE-2025-14699 is a path traversal vulnerability identified in Municorn FAX App version 3.27.0 for Android devices. The vulnerability arises from improper validation or sanitization of file path inputs within the app's component biz.faxapp.app, allowing an attacker with local access and limited privileges to manipulate file paths to access or modify files outside the intended directories. This can lead to unauthorized disclosure or alteration of sensitive fax data stored on the device, potentially impacting confidentiality and integrity. The attack vector is local, requiring the attacker to have at least limited privileges on the device, but no user interaction is needed once access is obtained. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the limited attack vector but significant potential impact. The vendor was contacted but has not responded or issued a patch, and public exploit information has been disclosed, increasing the risk of exploitation. The vulnerability does not require network access, making it a concern primarily for environments where multiple users share devices or where local access controls are weak. The lack of a patch and vendor response increases the urgency for organizations to implement compensating controls.

For European organizations, this vulnerability could lead to unauthorized access or modification of fax documents stored on Android devices running the vulnerable Municorn FAX App. This may result in leakage of sensitive business communications, intellectual property, or personal data, potentially violating GDPR and other data protection regulations. Integrity of faxed documents could be compromised, affecting business operations and trustworthiness of communications. Availability impact is limited but possible if critical files are deleted or corrupted. The local attack requirement limits remote exploitation but insider threats or compromised devices pose a real risk. Sectors relying heavily on fax communications, such as legal, healthcare, and government agencies, could face operational disruptions and reputational damage. The absence of vendor patches increases exposure duration, necessitating proactive mitigation.

1. Restrict physical and local access to Android devices running Municorn FAX App to trusted personnel only. 2. Implement strict device-level access controls, including strong authentication and user privilege separation to prevent unauthorized local access. 3. Monitor file system activity on devices for unusual access patterns or attempts to access restricted directories. 4. Use mobile device management (MDM) solutions to enforce security policies and remotely wipe or lock devices if compromised. 5. Educate users about the risks of installing untrusted apps or granting unnecessary permissions. 6. Regularly check for vendor updates or patches and apply them immediately once available. 7. Consider alternative fax solutions with better security track records until this vulnerability is resolved. 8. Conduct periodic security audits of devices used for sensitive communications to detect potential exploitation.