CVE-2025-7890 is a medium-severity vulnerability affecting the Dunamu StockPlus Android application versions 7.62.0 through 7.62.10. The root cause lies in the improper export of Android application components declared in the app's AndroidManifest.xml file, specifically within the component identified as com.dunamu.stockplus. Improper export means that certain components (such as activities, services, broadcast receivers, or content providers) are unintentionally made accessible to other apps or processes on the same device. This can lead to unauthorized access or manipulation of the app's internal functionality or data. The vulnerability requires local access to the device, meaning an attacker must have some level of access to the device itself (e.g., physical access or the ability to run code on the device). No user interaction or authentication is required to exploit this vulnerability, which increases its risk profile. The CVSS 4.0 vector indicates low attack complexity and privileges required, with no user interaction needed, but the impact on confidentiality, integrity, and availability is limited to low levels. The vendor, Dunamu, has not responded to early disclosure attempts, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation by malicious actors. This vulnerability could allow local attackers or malicious apps to access or manipulate sensitive components of the StockPlus app, potentially leading to data leakage, unauthorized actions, or disruption of app functionality.

For European organizations, particularly financial institutions or investment firms using the Dunamu StockPlus app for stock trading or portfolio management, this vulnerability poses a risk of unauthorized local access to sensitive financial data or manipulation of app behavior. While the attack requires local access, the widespread use of mobile devices and the possibility of malware or malicious apps gaining foothold on devices increase the threat surface. Confidentiality of user financial data could be compromised, and integrity of transactions or displayed information could be affected. This could lead to financial loss, reputational damage, and regulatory compliance issues under GDPR and financial regulations. The impact is more pronounced for organizations with employees or clients using the affected app on Android devices, especially if devices are not tightly controlled or monitored. The lack of vendor response and absence of patches heighten the urgency for organizations to implement compensating controls to mitigate risk.

1. Immediate mitigation should include restricting physical and local access to devices running the affected StockPlus app to trusted users only. 2. Organizations should monitor devices for installation of unauthorized or suspicious applications that could exploit this vulnerability locally. 3. Employ mobile device management (MDM) solutions to enforce application whitelisting, restrict sideloading, and control app permissions to limit the ability of malicious apps to interact with StockPlus components. 4. Encourage users to update to newer versions of the app once Dunamu releases a patch addressing this vulnerability. 5. Until a patch is available, consider isolating devices used for stock trading from other personal or less secure apps to reduce risk of local exploitation. 6. Conduct security awareness training to inform users about the risks of installing untrusted apps and the importance of device security hygiene. 7. Regularly audit and review app permissions and exported components using tools like APK analyzers to detect improper exports in other apps as well. 8. Network-level controls can be implemented to detect anomalous app behavior or data exfiltration attempts originating from mobile devices.