CVE-2025-9097 is a medium-severity vulnerability affecting version 12.56.0 of the Euro Information CIC banque et compte en ligne Android application. The root cause lies in an improper export configuration of an Android application component defined in the AndroidManifest.xml file, specifically the component com.cic_prod.bad. Improper export means that the component is accessible to other applications or processes on the same device without adequate restrictions. This misconfiguration can allow a local attacker—someone with access to the device—to interact with this component in unintended ways. Since the attack vector is local (AV:L), the attacker must have physical or logical access to the device. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N) and no authentication (AT:N), making exploitation feasible once local access is obtained. The impact on confidentiality, integrity, and availability is limited but non-negligible, as the component's improper export could allow unauthorized access to sensitive functionality or data within the banking app. The vendor was notified but did not respond, and no patch or mitigation has been published yet. No known exploits are currently in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. This vulnerability is particularly relevant for users of the affected app version on Android devices, as it could be leveraged by malicious local apps or attackers with device access to compromise banking operations or data confidentiality.

For European organizations, especially financial institutions and their customers using the CIC banque et compte en ligne app, this vulnerability poses a risk of unauthorized local access to sensitive banking components. While remote exploitation is not possible, attackers with physical access or who can trick users into installing malicious local apps could exploit this flaw to access or manipulate banking data or functionality. This could lead to unauthorized transactions, data leakage, or disruption of banking services. Given the banking sector's critical role in Europe’s economy and the sensitivity of financial data, even local vulnerabilities can have significant reputational and financial consequences. Furthermore, compliance with GDPR and other data protection regulations means that any data breach resulting from this vulnerability could lead to regulatory penalties. The lack of vendor response and absence of patches increases the urgency for organizations to implement compensating controls to protect their users.

Immediate mitigation steps include: 1) Advising users to update the app once a patch is released; until then, restrict physical access to devices and avoid installing untrusted applications. 2) Employ mobile device management (MDM) solutions to enforce app installation policies and restrict sideloading of unknown apps that could exploit this vulnerability. 3) Conduct internal audits of the app’s permissions and exported components to identify and block potentially vulnerable components via Android security policies or third-party security tools. 4) Encourage users to enable device encryption and strong authentication to reduce the risk of local attackers gaining access. 5) Monitor device and app behavior for suspicious activity that could indicate exploitation attempts. 6) Engage with the vendor or consider alternative banking apps with better security track records if the vendor remains unresponsive. 7) For organizations developing similar apps, review AndroidManifest.xml exports carefully to avoid similar misconfigurations.