CVE-2025-50861 is a medium severity vulnerability affecting the Lotus Cars Android application (package: com.lotus.carsdomestic.intl), specifically version 1.2.8. The vulnerability arises from an exported Android component named PushDeepLinkActivity, which is accessible without any authentication or permission checks. This component can be invoked via Android Debug Bridge (ADB) or by malicious applications installed on the device. Because the component is exported and lacks access controls, unauthorized actors can interact with internal application logic, potentially leading to denial of service (DoS) conditions or abuse of application logic. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-284 (Improper Access Control), indicating that attackers could exploit this flaw to exhaust resources or bypass intended access restrictions. The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, no privileges required, no user interaction needed, and limited confidentiality impact but potential availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to cause the app to crash or behave unexpectedly by invoking PushDeepLinkActivity with crafted intents, potentially disrupting user experience or enabling further logic abuse within the app's internal workflows.

For European organizations, the impact of this vulnerability depends largely on the usage of the Lotus Cars Android app within their operational or customer environments. If the app is used by employees or customers, exploitation could lead to service disruption or denial of service on affected devices, impacting business continuity or customer satisfaction. Since the vulnerability allows unauthenticated access to internal app components, it could be leveraged as a foothold for further attacks on the device or to manipulate app behavior, potentially exposing sensitive data or undermining trust in the app. The limited confidentiality impact reduces the risk of data breaches, but the denial of service and logic abuse could affect operational integrity. Organizations involved in automotive services, dealerships, or customer support for Lotus Cars in Europe should be particularly vigilant. Additionally, if the app is used in connected car ecosystems or integrated with enterprise mobile device management (MDM) solutions, the vulnerability could have broader implications for device security and network integrity.

To mitigate this vulnerability, organizations and users should: 1) Monitor for updates from the Lotus Cars app developer and apply patches promptly once available. 2) Restrict usage of ADB on devices where the app is installed, disabling USB debugging to prevent unauthorized local access. 3) Employ mobile security solutions that detect and block malicious apps attempting to exploit exported components. 4) Use Android enterprise management policies to restrict installation of untrusted applications and control app permissions rigorously. 5) Conduct security awareness training for users to avoid installing unverified apps that could exploit this vulnerability. 6) For organizations managing fleets of devices, implement application whitelisting and runtime application self-protection (RASP) to detect abnormal app behavior. 7) Developers should consider implementing proper access controls on exported components, such as requiring permissions or authentication, and avoid exporting components unnecessarily.