CVE-2025-7891 is a medium-severity vulnerability affecting the InstantBits Web Video Cast App versions 5.12.0 through 5.12.4 on the Android platform. The root cause lies in the improper export of Android application components defined within the AndroidManifest.xml file, specifically related to the component com.instantbits.cast.webvideo. Improper export means that components such as activities, services, or broadcast receivers are made accessible to other apps or processes without adequate access controls. This can allow a local attacker—someone with physical or logical access to the device—to interact with these components in unintended ways. The vulnerability does not require user interaction but does require local access and low privileges, making exploitation somewhat limited in scope. The CVSS 4.0 vector (AV:L/AC:L/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates local attack vector, low complexity, low privileges required, no user interaction, and partial impacts on confidentiality, integrity, and availability. The vendor was notified but did not respond, and no patches or mitigations have been published yet. While no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation attempts. The vulnerability could allow an attacker to access or manipulate app components, potentially leading to unauthorized data access, privilege escalation within the app context, or disruption of app functionality.

For European organizations, the impact of this vulnerability depends largely on the use of the InstantBits Web Video Cast App within their environments. Organizations that allow or rely on this app on employee devices could face risks of unauthorized access to sensitive data handled by the app or disruption of services provided by the app. Since the attack requires local access and low privileges, the threat is more relevant in scenarios where devices are shared, lost, or physically accessible by malicious insiders or third parties. The partial compromise of confidentiality, integrity, and availability could lead to leakage of sensitive streaming data or manipulation of app behavior, which may affect user privacy and operational continuity. In sectors with strict data protection regulations such as GDPR, any unauthorized data access could result in compliance issues and reputational damage. However, the medium severity and local attack vector limit the overall impact to organizations that do not control device access or have weak endpoint security controls.

1. Immediate mitigation should focus on restricting physical and logical access to devices running the affected app, including enforcing strong device lock mechanisms and endpoint security policies. 2. Organizations should audit the use of the InstantBits Web Video Cast App on corporate and BYOD devices and consider restricting or removing it until a patch is available. 3. Monitor for unusual app behavior or unauthorized inter-app communications that could indicate exploitation attempts. 4. Employ mobile device management (MDM) solutions to enforce app permissions and restrict installation of vulnerable app versions. 5. Encourage users to update the app promptly once the vendor releases a patched version. 6. If feasible, review the AndroidManifest.xml of the app (for custom or in-house deployments) to ensure components are not unnecessarily exported. 7. Educate users about the risks of local device access and the importance of securing their devices against unauthorized physical access.