CVE-2025-64304 identifies a vulnerability in the "FOD" Android application developed by Fuji Television Network, Inc., where cryptographic keys are hard-coded within the app binary. This practice violates secure key management principles and allows a local attacker with access to the device to extract these keys without requiring authentication or user interaction. The vulnerability affects all app versions prior to 5.2.0. Hard-coded keys can be retrieved through reverse engineering or static analysis of the app package, enabling attackers to decrypt sensitive data or impersonate legitimate app functions that rely on these keys. The CVSS 3.0 base score is 4.0, reflecting a medium severity due to the local attack vector and limited impact scope—only confidentiality is affected, with no impact on integrity or availability. No known exploits have been reported in the wild, but the vulnerability poses a risk especially in environments where devices may be physically accessible or compromised by malware. The issue was publicly disclosed on November 25, 2025, and is tracked by JPCERT. The root cause is insecure cryptographic key management, a common weakness in mobile applications that can lead to data leakage and undermines trust in app security.

For European organizations, the primary impact is the potential exposure of sensitive cryptographic keys embedded in the "FOD" app, which could lead to unauthorized access to encrypted data or services protected by these keys. Although the attack requires local access, compromised or lost devices in corporate or personal environments could be exploited to extract keys, leading to confidentiality breaches. This is particularly relevant for media companies, broadcasters, or enterprises using the app for content distribution or internal communications. The vulnerability does not affect data integrity or system availability, limiting the scope of damage. However, the exposure of cryptographic keys can facilitate further attacks such as man-in-the-middle interception or unauthorized content access. European organizations with employees or customers using the affected app versions are at risk, especially in sectors with high mobile device usage and less stringent device security controls.

To mitigate this vulnerability, organizations and users should immediately update the "FOD" app to version 5.2.0 or later, where the hard-coded key issue has been addressed. Developers should avoid embedding cryptographic keys directly in the app binary; instead, they should implement secure key management solutions such as using Android's Keystore system or retrieving keys securely from backend servers with proper authentication. Organizations should enforce mobile device management (MDM) policies to restrict local access and prevent unauthorized app tampering or reverse engineering. Regular security audits and static code analysis of mobile applications can help detect similar issues early. Additionally, educating users about the risks of installing apps from untrusted sources and maintaining device security hygiene will reduce the likelihood of local compromise. Monitoring for unusual app behavior or data access patterns can also help detect exploitation attempts.