CVE-2025-50861 identifies a security vulnerability in the Lotus Cars Android application (package name: com.lotus.carsdomestic.intl), specifically version 1.2.8. The vulnerability arises from an exported Android component named PushDeepLinkActivity, which is accessible without any authentication. This component can be invoked via Android Debug Bridge (ADB) commands or by other malicious applications installed on the same device. Because the component is exported and lacks proper access controls, unauthorized actors can interact with internal application functions. This can lead to unintended access to the app's internals, potentially enabling denial of service (DoS) conditions or logic abuse. Logic abuse refers to manipulation of the app’s intended workflow or functionality, which could be exploited to cause erratic behavior or bypass certain controls. The vulnerability does not require user interaction beyond the presence of a malicious app or ADB access, which could be leveraged by attackers with local device access or through social engineering to install malicious apps. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. No patches or updates have been linked, indicating that the vulnerability may still be unmitigated. The lack of authentication on an exported component is a common Android security anti-pattern that can lead to privilege escalation or unauthorized access to sensitive app features.

For European organizations, the impact of this vulnerability depends largely on the usage of the Lotus Cars Android app within their environment or by their employees. If the app is used for vehicle management, telematics, or connected car services, exploitation could lead to denial of service, disrupting user access to critical vehicle functions or connected services. Logic abuse could allow attackers to manipulate app behavior, potentially affecting vehicle settings or data integrity. While the vulnerability requires local device access or installation of a malicious app, it could be leveraged in targeted attacks against employees or executives using the app on corporate or personal devices. This could lead to indirect impacts such as loss of productivity, exposure of sensitive vehicle or user data, or reputational damage if exploited in a broader supply chain or connected vehicle attack. The risk is heightened in environments where device security is lax or where users have elevated privileges. Given the automotive sector's increasing reliance on connected apps, such vulnerabilities can have cascading effects on operational technology and safety-critical systems if exploited in conjunction with other weaknesses.

Specific mitigation steps include: 1) Immediate review and update of the Lotus Cars Android app to remove or secure the exported PushDeepLinkActivity component by enforcing proper authentication and permission checks. 2) Implement Android best practices by restricting exported components unless absolutely necessary and using permission attributes to limit access. 3) For organizations, enforce mobile device management (MDM) policies that restrict installation of unauthorized apps and control ADB access on employee devices. 4) Educate users about the risks of installing untrusted applications and the dangers of enabling developer options or ADB debugging on their devices. 5) Monitor app behavior and device logs for unusual activity that could indicate exploitation attempts. 6) Coordinate with Lotus Cars or app vendors to obtain patches or updates and deploy them promptly. 7) Conduct security assessments of connected vehicle apps to identify similar exported component vulnerabilities and remediate proactively.