CVE-2025-14699 is a path traversal vulnerability identified in the Municorn FAX App version 3.27.0 running on Android devices. Path traversal vulnerabilities occur when an application improperly sanitizes user-supplied input used in file path construction, allowing attackers to access files and directories outside the intended scope. In this case, the vulnerability resides in an unknown component of the app identified as biz.faxapp.app. The attack vector requires local access to the device and limited privileges (PR:L), with no user interaction needed (UI:N). The CVSS 4.0 vector indicates low attack complexity (AC:L) and no requirement for authentication tokens or elevated privileges beyond limited local rights. Exploiting this flaw could allow an attacker to read or modify sensitive files on the device, potentially exposing confidential fax documents or altering application data, which impacts confidentiality, integrity, and availability to a limited extent. The vendor has been contacted but has not responded or issued a patch, and the vulnerability details have been publicly disclosed, increasing the risk of exploitation. Although no exploits are currently known in the wild, the public availability of the vulnerability information means attackers could develop exploits. The vulnerability does not affect the server side but targets the Android client app, which is commonly used on mobile devices in corporate environments. The lack of a patch and vendor response heightens the urgency for organizations to implement mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of fax-related data on Android devices. Organizations relying on the Municorn FAX App for sensitive communications could have confidential fax documents exposed or altered by an attacker with local device access. This could lead to data leakage, compliance violations (e.g., GDPR), and disruption of fax services. The requirement for local access limits remote exploitation but insider threats or compromised devices could be leveraged. The impact on availability is limited but possible if critical files are tampered with. Given the widespread use of Android devices in European enterprises and the continued use of fax in regulated sectors such as healthcare, legal, and government, the vulnerability could affect sensitive workflows. The absence of a vendor patch and public disclosure increases the risk of exploitation, making timely mitigation essential to protect organizational data and maintain regulatory compliance.

1. Restrict physical and local access to devices running Municorn FAX App to trusted personnel only, enforcing strong device access controls such as PINs, biometrics, and screen locks. 2. Monitor device file system access logs for unusual or unauthorized attempts to access or modify files outside the app’s designated directories. 3. Employ mobile device management (MDM) solutions to enforce application usage policies and restrict installation or usage of vulnerable app versions. 4. Educate users about the risks of installing untrusted apps or granting unnecessary permissions that could facilitate local attacks. 5. Until a patch is available, consider replacing the Municorn FAX App with alternative fax solutions that have verified security postures. 6. Regularly audit and update Android OS and security patches to reduce the attack surface. 7. Implement endpoint detection and response (EDR) tools capable of detecting suspicious local file system activity related to path traversal attempts. 8. Engage with the vendor for updates and monitor vulnerability databases for any released patches or mitigations.