CVE-2025-5344 is a high-severity vulnerability affecting Bluebird devices that come pre-installed with the com.bluebird.kiosk.launcher application, specifically versions before 1.1.2. The vulnerability arises from an improper export of an Android application component, classified under CWE-926 (Improper Export of Android Application Components). The kiosk application exposes an unsecured AIDL-type service provider named com.bluebird.kiosk.launcher.IpartnerKioskRemoteService. This service lacks proper access controls, allowing any local attacker on the device to bind to it without authentication or user interaction. Once bound, the attacker can manipulate critical device configurations, including modifying global settings and changing the wallpaper image. Given the CVSS 4.0 vector AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N and a score of 8.5, the vulnerability is exploitable locally with low complexity and no privileges or user interaction required, but it has a high impact on confidentiality and integrity. The vulnerability does not affect availability or require network access, limiting the attack surface to local device access. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue was reserved in May 2025 and published in July 2025 by CERT-PL. The vulnerability is significant because it allows unauthorized local modification of device settings, which could be leveraged for further attacks or to disrupt device operation in kiosk environments where Bluebird devices are deployed.

For European organizations using Bluebird devices in kiosk or enterprise environments, this vulnerability poses a substantial risk. Attackers with local access—such as malicious insiders, contractors, or individuals with temporary physical access—can exploit this flaw to alter device configurations, potentially bypassing security policies or disrupting business operations. The ability to change global settings and wallpaper could be a vector for social engineering or further malware deployment. In regulated sectors like finance, healthcare, or public services, unauthorized configuration changes could lead to compliance violations or data leakage. Additionally, compromised kiosk devices could serve as footholds for lateral movement within corporate networks if these devices have network connectivity. Although the attack requires local access, the widespread use of Bluebird devices in retail, logistics, and industrial settings across Europe increases the risk profile. The absence of authentication or user interaction requirements exacerbates the threat, making it easier for attackers to exploit once physical or local access is gained.

Organizations should immediately inventory their Bluebird devices to identify those running vulnerable versions of the com.bluebird.kiosk.launcher application. Until a patch is available, implement strict physical security controls to prevent unauthorized local access to these devices, including locked enclosures and surveillance. Employ mobile device management (MDM) solutions to monitor device configurations and detect unauthorized changes. Disable or restrict access to the exposed AIDL service if possible through configuration or custom device policies. Consider deploying endpoint protection solutions capable of detecting anomalous local service bindings or configuration modifications. Educate staff about the risks of local device tampering and enforce strict access controls for personnel with physical access. Once Bluebird releases a patched version (1.1.2 or later), prioritize prompt updates and test them in controlled environments before wide deployment. Additionally, audit device logs regularly for signs of exploitation attempts or configuration changes that could indicate compromise.