CVE-2025-64696 identifies a vulnerability in the Android application "Brother iPrint&Scan" developed by Brother Industries, Ltd., specifically in versions 6.13.7 and earlier. The issue arises from the app's improper use of the external cache directory to store sensitive application-specific files. Android's external cache directories are accessible by other applications with appropriate permissions, unlike internal app storage which is sandboxed. Consequently, malicious applications installed on the same device can read sensitive cached data belonging to the Brother iPrint&Scan app, potentially leading to information disclosure. The vulnerability requires local access to the device and some user interaction to exploit, as no privilege escalation or remote exploitation vector is indicated. The CVSS 3.0 base score of 3.3 reflects a low severity, primarily due to the limited attack vector (local access), low impact on confidentiality, and absence of integrity or availability impact. No known exploits have been reported in the wild, and no patches or fixes have been linked yet. The vulnerability highlights a common security misconfiguration in Android app development where sensitive data is stored in locations accessible by other apps, violating the principle of least privilege and data confidentiality.

For European organizations, the primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information cached by the Brother iPrint&Scan app on Android devices. This could include print job metadata, scanned document previews, or user credentials cached temporarily. If employees use shared or unmanaged Android devices, malicious apps installed on these devices could exploit this vulnerability to access sensitive data, leading to privacy breaches or leakage of confidential business information. Although the vulnerability does not allow modification or disruption of app functionality, the confidentiality breach could undermine trust in document handling processes. Organizations in sectors handling sensitive documents, such as legal, finance, or government, may face compliance risks under GDPR if personal data is exposed. The low severity and requirement for local access limit the overall risk, but the vulnerability still represents a vector for insider threats or compromised devices within corporate environments.

1. Update the Brother iPrint&Scan app to the latest version once Brother Industries releases a patch addressing this vulnerability. 2. Until a patch is available, restrict installation of untrusted or unnecessary applications on Android devices used for printing/scanning to reduce the risk of malicious apps exploiting this flaw. 3. Enforce mobile device management (MDM) policies that limit app permissions and control access to external storage areas. 4. Educate users about the risks of installing apps from unverified sources and the importance of device hygiene. 5. Where possible, configure Android devices to use internal cache directories or encrypted storage for sensitive app data. 6. Monitor device logs and app behavior for unusual access patterns to cached data. 7. Consider isolating printing/scanning functions to dedicated devices with strict security controls to minimize exposure.