CVE-2025-9093 is a security vulnerability identified in the BuzzFeed App version 2024.9 on the Android platform. The issue stems from improper exportation of Android application components, specifically due to misconfigurations in the AndroidManifest.xml file related to the component com.buzzfeed.android. In Android applications, components such as activities, services, broadcast receivers, and content providers can be exported to allow interaction with other apps or system components. Improper exportation means that components intended to be private or restricted are inadvertently made accessible to other local applications or users. This vulnerability requires local access to the device, meaning an attacker must have some level of physical or logical access to the device to exploit it. The vulnerability does not require user interaction and can be exploited with low attack complexity and privileges. The CVSS 4.0 vector indicates a medium severity with a score of 4.8, reflecting limited confidentiality, integrity, and availability impacts, and no network attack vector. While no known exploits are currently reported in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation attempts. The improper export could allow a local attacker to interact with the vulnerable components, potentially leading to unauthorized access to sensitive data, manipulation of app behavior, or privilege escalation within the app context. Since the vulnerability affects a widely used consumer app, it could be leveraged to compromise user privacy or device security on affected devices.

For European organizations, the impact of this vulnerability depends largely on the usage of the BuzzFeed App within their user base or workforce. Organizations with employees or clients using the affected app version on Android devices may face risks related to data leakage or unauthorized access to app components. Although the attack requires local access, scenarios such as shared devices, lost or stolen devices, or insider threats could lead to exploitation. The vulnerability could undermine user trust and lead to potential data privacy issues, especially under stringent European data protection regulations like GDPR. Additionally, if the app is used in corporate environments or on devices with access to sensitive organizational data, exploitation could facilitate lateral movement or further compromise. However, since the vulnerability does not allow remote exploitation and has limited impact on system-wide integrity or availability, the overall risk to large-scale infrastructure or critical systems is moderate. Nonetheless, organizations should consider the potential for targeted attacks or privacy breaches stemming from this vulnerability.

To mitigate this vulnerability, organizations and users should ensure that the BuzzFeed App is updated to a version where the improper export issue is fixed once a patch is released. Until then, users should avoid installing or using the vulnerable version (2024.9) on devices that contain sensitive information or are used in corporate environments. Device-level mitigations include enforcing strict app sandboxing policies and restricting local app installations to trusted sources only. Organizations can implement mobile device management (MDM) solutions to monitor app versions and enforce updates. Additionally, educating users about the risks of local exploitation and encouraging secure device handling practices (e.g., using screen locks, avoiding shared device usage) can reduce exposure. Developers and security teams should audit AndroidManifest.xml configurations in their own apps to prevent similar misconfigurations. Finally, monitoring for unusual local activity on devices with the vulnerable app can help detect potential exploitation attempts.