CVE-2025-7890 is a medium-severity vulnerability affecting the Dunamu StockPlus Android application versions 7.62.0 through 7.62.10. The issue stems from improper exportation of Android application components defined in the AndroidManifest.xml file, specifically within the component identified as com.dunamu.stockplus. Improper exportation means that components such as activities, services, broadcast receivers, or content providers are unintentionally made accessible to other applications or processes on the device. This can lead to unauthorized local access to sensitive functionality or data within the app. The vulnerability requires local access to the device, meaning an attacker must have some level of access to the device itself (e.g., physical access or a malicious app installed on the device). The vulnerability does not require user interaction and can be exploited with low complexity, given the attacker has local privileges. The CVSS 4.0 base score is 4.8, reflecting a medium severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability. The vendor Dunamu has not responded to early disclosure attempts, and no patches or mitigations have been officially released at the time of publication. Although no known exploits are reported in the wild, public disclosure of the exploit details increases the risk of exploitation. This vulnerability could allow malicious local apps or users to access or manipulate internal components of the StockPlus app, potentially leading to unauthorized data access or manipulation within the app context.

For European organizations, the impact depends largely on the usage of the Dunamu StockPlus app within their environment. StockPlus is a financial stock trading application, and improper component export could expose sensitive financial data or allow unauthorized transactions if exploited. Organizations with employees using this app on corporate or personal devices could face risks of data leakage or unauthorized access to financial accounts. The local attack requirement limits remote exploitation but does not eliminate risk, especially in scenarios where devices are shared, lost, or compromised by other malware. Financial institutions or investment firms using or recommending this app may face reputational damage and regulatory scrutiny if customer data is compromised. Additionally, the lack of vendor response and patch availability prolongs exposure. The vulnerability could also be leveraged as part of a multi-stage attack chain on compromised devices, increasing overall risk to organizational security.

Given the absence of official patches, European organizations should implement specific mitigations: 1) Restrict installation of the Dunamu StockPlus app on corporate devices or enforce usage policies limiting it to trusted devices only. 2) Employ mobile device management (MDM) solutions to monitor and control app permissions and component exports where possible. 3) Educate users about the risks of installing untrusted apps and the importance of device security to prevent local compromise. 4) Use endpoint protection solutions capable of detecting suspicious local inter-app communications or privilege escalations. 5) Monitor for unusual app behavior or unauthorized access attempts related to StockPlus components. 6) Encourage users to update to newer versions once patches become available and maintain close communication with the vendor for updates. 7) Consider sandboxing or containerization of financial apps to isolate them from other apps and reduce attack surface.